-
Notifications
You must be signed in to change notification settings - Fork 29.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability #4029
Comments
@nodejs/collaborators / @nodejs/build we've just turned off public access to ci.nodejs.org so now it's restricted to Node.js and libuv collaborators only. This will be undone as soon as we have the binaries out on Wed/Tue. Unfortunately it's almost impossible to stop information leakage via Jenkins when testing and building with sensitive commits. Given that you all still have access, please observe the embargo and not share information or access outside of the collaborators group so we can make sure this goes smoothly. |
December Security Release Schedule UpdateThe OpenSSL project announced today that they will be releasing security updates for versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 on the 3rd of December UTC. The updates will fix a number of security defects, the highest of which is classified as "moderate" severity according to their severity scale:
Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1 and versions v4.x (LTS Argon) and v5.x depend on OpenSSL v1.0.2. As the Node.js build process statically links OpenSSL into binaries, we will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes. While we are unaware of the exact nature of the OpenSSL vulnerabilities being fixed, we must consider it likely that Node.js releases will be required in order to protect users. Since the OpenSSL release schedule is two days after our announced updates for v0.12.x, v4.x and v5.x, we have decided to postpone our security releases to coincide with OpenSSL release availability. We will also be including v0.10 in our set of releases. Therefore, we are moving our planned security releases for Node.js from Wednesday the 2nd of December 2015, UTC to the Friday, the 4th of December 2015, UTC (Thursday the 3rd of December US time). We understand that the timing of this during the work-week is unfortunate but we must take into account the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical. Please be aware that patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release. An updated summary of the release inclusions is available below: CVE-2015-8027 Denial of Service VulnerabilityA bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high and users of the affected versions should plan to upgrade when a fix is made available.
CVE-2015-6764 V8 Out-of-bounds Access VulnerabilityAn additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users, but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.
OpenSSL Moderate Severity UpdateThe OpenSSL project has announced a set of releases which contain fixes for multiple vulnerabilities, the highest severity being labelled "moderate". Consult the OpenSSL security policy for details on this definition. New releases of all actively maintained Node.js release lines are required in order to protect users against potential vulnerabilities in their applications. We do not have details on the nature of any of the included vulnerabilities or their fixes, users should plan for upgrades as soon as practical.
|
@nodejs/collaborators who would like to help smoke-test these new releases (please please) can access builds by following the links at the bottom of these pages to the build slave appropriate for their architecture and downloading the artifact you want from there:
Jenkins is still locked down so only @nodejs/collaborators and @nodejs/build for this, sorry. I'm particularly concerned about 0.10.41 because this is the first 0.10.x on the new build infra and we're having to bite off so many changes for this release. Also 4.2.3, being our primary LTS needs to be stable. I'll be doing my own testing over the next hour or so and writing up release posts for nodejs.org. Everything else is ready except for armv6 builds, assuming that no problems show up. |
Releases are all out, see below for details. A huge thanks to @indutny, @bnoordhuis, @shigeki and the rest of the team involved in making this epic set of releases happen. One bit of good news here is that we are finally up to speed on both v0.10.x and v0.12.x and can start churning out releases for those again. Time to start paying more attention to fixes we can apply there. December Security Release SummaryLast week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update impacts all active release lines, including v0.10.x. Today we have released Node.js v0.10.41 (Maintenance), v0.12.9 (LTS), v4.2.3 "Argon" (LTS) and v5.1.1 (Stable) with fixes for the announced vulnerabilities and updates to OpenSSL. For the purpose of understanding the impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances we are providing details below. CVE-2015-8027 Denial of Service VulnerabilityThis critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an
CVE-2015-6764 V8 Out-of-bounds Access VulnerabilityA bug was discovered in V8's implementation of Node.js users who expose services that process untrusted user-supplied JavaScript are at obvious risk. However, we recommend that all users of impacted versions of Node.js upgrade to the appropriate patched version in order to protect against malicious third-party JavaScript that may be executed within a Node.js process by other means.
CVE-2015-3193 OpenSSL BN_mod_exp may produce incorrect results on x86_64A bug exists in OpenSSL v1.0.2 in the Montgomery squaring procedure on the x64 architecture that expose potential attack vectors. Attacks against RSA and DSA are considered possible but with a very high degree of difficulty. Attacks against DHE key exchange is considered feasible but difficult. EC algorithms are not vulnerable. Node.js TLS servers using DHE key exchange are considered at highest risk although it is believed that Node.js' existing use of OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users exposing TLS servers upgrade to patched versions as soon as practical.
CVE-2015-3194 OpenSSL Certificate verify crash with missing PSS parameterA bug exists in OpenSSL v1.0.1 and v1.0.2 that may cause a crash during certificate verification procedures when supplied with a malformed ASN.1 signature using the RSA PSS algorithm. This may be used as a the basis of a denial of service (DoS) attack against Node.js TLS servers using client authentication. Node.js TLS clients are also impacted if supplied with malformed certificates for verification. Details are available at http://openssl.org/news/secadv/20151203.txt. OpenSSL v1.0.0 is used in Node.js v0.10.x and v0.12.x. OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users employing either TLS client or server code upgrade as soon as practical.
Note: Node.js users are not considered vulnerable to the two additional announced OpenSSL vulnerabilities: CVE-2015-3195 "X509_ATTRIBUTE memory leak" and CVE-2015-3196 "Race condition handling PSK identify hint". However, fixes for these bugs are included with the new versions of OpenSSL bundled with the newly patched versions of Node.js. |
This announcement is for:
CVE-2015-8027 Denial of Service Vulnerability
Description and CVSS Score
A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.
Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).
Common Vulnerability Scoring System (CVSS) v3 Base Score:
Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:R/CR:L/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.
CVE-2015-8027 is listed on the MITRE CVE dictionary and NIST NVD.
CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
Description and CVSS Score
An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users (see CVSS scoring below), but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.
Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).
Common Vulnerability Scoring System (CVSS) v3 Base Score:
Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.
CVE-2015-6764 is listed on the MITRE CVE dictionary and NIST NVD.
Action and updates
New releases of v0.12.x, v4.x and v5.x on Wednesday the 2nd of December 2015, UTC will be made available with appropriate fixes for CVE-2015-8027 and CVE-2015-6764 (for v4.x and v5.x only) along with disclosure of the details of the bug to allow for complete impact assessment by users.
Contact and future updates
Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.
Please subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.
A note for @nodejs/collaborators on timing:
The text was updated successfully, but these errors were encountered: