Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability #4029

Closed
rvagg opened this issue Nov 25, 2015 · 4 comments
Labels
meta Issues and PRs related to the general management of the project.

Comments

@rvagg
Copy link
Member

rvagg commented Nov 25, 2015

This announcement is for:

CVE-2015-8027 Denial of Service Vulnerability

Description and CVSS Score

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.

  • Versions 0.10.x of Node.js are _not affected_.
  • Versions 0.12.x of Node.js are _vulnerable_.
  • Versions 4.x, including LTS Argon, of Node.js are _vulnerable_.
  • Versions 5.x of Node.js are _vulnerable_.

Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).

Common Vulnerability Scoring System (CVSS) v3 Base Score:

Metric Score
Base Score: 7.5 (High)
Base Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Network (AV:N)
Attack Complexity: Low (AC:L)
Privileges Required: None (PR:N)
User Interaction: None (UI:N)
Scope of Impact: Unchanged (S:U)
Confidentiality Impact: None (C:N)
Integrity Impact: None (I:N)
Availability Impact: High (A:H)

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:R/CR:L/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-8027 is listed on the MITRE CVE dictionary and NIST NVD.

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

Description and CVSS Score

An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users (see CVSS scoring below), but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.

  • Versions 0.10.x of Node.js are _not affected_.
  • Versions 0.12.x of Node.js are _not affected_.
  • Versions 4.x, including LTS Argon, of Node.js are _vulnerable_.
  • Versions 5.x of Node.js are _vulnerable_.

Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).

Common Vulnerability Scoring System (CVSS) v3 Base Score:

Metric Score
Base Score: 4.4 (Medium)
Base Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Network (AV:N)
Attack Complexity: Medium (AC:H)
Privileges Required: High (PR:H)
User Interaction: None (UI:N)
Scope of Impact: Unchanged (S:U)
Confidentiality Impact: None (C:N)
Integrity Impact: None (I:N)
Availability Impact: High (A:H)

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-6764 is listed on the MITRE CVE dictionary and NIST NVD.

Action and updates

New releases of v0.12.x, v4.x and v5.x on Wednesday the 2nd of December 2015, UTC will be made available with appropriate fixes for CVE-2015-8027 and CVE-2015-6764 (for v4.x and v5.x only) along with disclosure of the details of the bug to allow for complete impact assessment by users.

Contact and future updates

Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.

Please subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.


A note for @nodejs/collaborators on timing:

  • The DoS flaw was discovered by @indutny a few weeks ago and we have been sitting on it while we prepare for getting v0.12 releases out with the new infrastructure.
  • We decided to push a v0.12.8 out this week, even knowing that we'd push a v0.12.9 out next week because we really need people testing builds of 0.12 created with our new build system just in case there are problems with the binaries that we haven't anticipated (both OSX and Windows are using newer compilers, we have new build servers with slightly different configs, there's a bunch of things that could mean that v0.12.8 binaries are not close enough to v0.12.7 binaries for strange deployment environments). An alternative was to make v0.12.8 the security release but the risk of disclosing details of the DoS vulnerability while not having binaries that work wherever v0.12.x users are using Node is too high, so this double-release thing is an attempt to mitigate that risk.
  • v0.12.9 and v4.2.3 will contain only the required commits to fix the security problems.
  • v5.1.1 may be a standard release with the security commits on top (in the past we've not been as strict with Stable releases, although we don't have a documented policy on this so ...).
  • The releases will come with full disclosure, so users need to be prepared to upgrade as soon as practical.
@rvagg
Copy link
Member Author

rvagg commented Nov 30, 2015

@nodejs/collaborators / @nodejs/build we've just turned off public access to ci.nodejs.org so now it's restricted to Node.js and libuv collaborators only. This will be undone as soon as we have the binaries out on Wed/Tue. Unfortunately it's almost impossible to stop information leakage via Jenkins when testing and building with sensitive commits. Given that you all still have access, please observe the embargo and not share information or access outside of the collaborators group so we can make sure this goes smoothly.

@rvagg
Copy link
Member Author

rvagg commented Dec 1, 2015

December Security Release Schedule Update

The OpenSSL project announced today that they will be releasing security updates for versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 on the 3rd of December UTC. The updates will fix a number of security defects, the highest of which is classified as "moderate" severity according to their severity scale:

MODERATE Severity. This includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.

Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1 and versions v4.x (LTS Argon) and v5.x depend on OpenSSL v1.0.2. As the Node.js build process statically links OpenSSL into binaries, we will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes. While we are unaware of the exact nature of the OpenSSL vulnerabilities being fixed, we must consider it likely that Node.js releases will be required in order to protect users.

Since the OpenSSL release schedule is two days after our announced updates for v0.12.x, v4.x and v5.x, we have decided to postpone our security releases to coincide with OpenSSL release availability. We will also be including v0.10 in our set of releases.

Therefore, we are moving our planned security releases for Node.js from Wednesday the 2nd of December 2015, UTC to the Friday, the 4th of December 2015, UTC (Thursday the 3rd of December US time). We understand that the timing of this during the work-week is unfortunate but we must take into account the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical. Please be aware that patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release.

An updated summary of the release inclusions is available below:


CVE-2015-8027 Denial of Service Vulnerability

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high and users of the affected versions should plan to upgrade when a fix is made available.

  • Versions 0.10.x of Node.js are _not affected_.
  • Versions 0.12.x of Node.js are _vulnerable_.
  • Versions 4.x, including LTS Argon, of Node.js are _vulnerable_.
  • Versions 5.x of Node.js are _vulnerable_.

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users, but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.

  • Versions 0.10.x of Node.js are _not affected_.
  • Versions 0.12.x of Node.js are _not affected_.
  • Versions 4.x, including LTS Argon, of Node.js are _vulnerable_.
  • Versions 5.x of Node.js are _vulnerable_.

OpenSSL Moderate Severity Update

The OpenSSL project has announced a set of releases which contain fixes for multiple vulnerabilities, the highest severity being labelled "moderate". Consult the OpenSSL security policy for details on this definition. New releases of all actively maintained Node.js release lines are required in order to protect users against potential vulnerabilities in their applications. We do not have details on the nature of any of the included vulnerabilities or their fixes, users should plan for upgrades as soon as practical.

  • Versions 0.10.x of Node.js _may be vulnerable_.
  • Versions 0.12.x of Node.js _may be vulnerable_.
  • Versions 4.x, including LTS Argon, of Node.js _may be vulnerable_.
  • Versions 5.x of Node.js _may be vulnerable_.

@nodejs nodejs locked and limited conversation to collaborators Dec 1, 2015
@Fishrock123 Fishrock123 added the meta Issues and PRs related to the general management of the project. label Dec 3, 2015
@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2015

@nodejs/collaborators who would like to help smoke-test these new releases (please please) can access builds by following the links at the bottom of these pages to the build slave appropriate for their architecture and downloading the artifact you want from there:

Jenkins is still locked down so only @nodejs/collaborators and @nodejs/build for this, sorry.

I'm particularly concerned about 0.10.41 because this is the first 0.10.x on the new build infra and we're having to bite off so many changes for this release. Also 4.2.3, being our primary LTS needs to be stable.

I'll be doing my own testing over the next hour or so and writing up release posts for nodejs.org. Everything else is ready except for armv6 builds, assuming that no problems show up.

@rvagg
Copy link
Member Author

rvagg commented Dec 4, 2015

Releases are all out, see below for details.

A huge thanks to @indutny, @bnoordhuis, @shigeki and the rest of the team involved in making this epic set of releases happen.

One bit of good news here is that we are finally up to speed on both v0.10.x and v0.12.x and can start churning out releases for those again. Time to start paying more attention to fixes we can apply there.


December Security Release Summary

Last week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update impacts all active release lines, including v0.10.x.

Today we have released Node.js v0.10.41 (Maintenance), v0.12.9 (LTS), v4.2.3 "Argon" (LTS) and v5.1.1 (Stable) with fixes for the announced vulnerabilities and updates to OpenSSL.

For the purpose of understanding the impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances we are providing details below.

CVE-2015-8027 Denial of Service Vulnerability

This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.

  • Versions 0.10.x of Node.js are not affected.
  • Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

A bug was discovered in V8's implementation of JSON.stringify() that can result in out-of-bounds reads on arrays. The patch was included in this week's update of Chrome Stable. While this bug is high severity for browsers, it is considered lower risk for Node.js users as it requires the execution of third-party JavaScript within an application in order to be exploitable.

Node.js users who expose services that process untrusted user-supplied JavaScript are at obvious risk. However, we recommend that all users of impacted versions of Node.js upgrade to the appropriate patched version in order to protect against malicious third-party JavaScript that may be executed within a Node.js process by other means.

  • Versions 0.10.x of Node.js are not affected.
  • Versions 0.12.x of Node.js are not affected.
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-3193 OpenSSL BN_mod_exp may produce incorrect results on x86_64

A bug exists in OpenSSL v1.0.2 in the Montgomery squaring procedure on the x64 architecture that expose potential attack vectors. Attacks against RSA and DSA are considered possible but with a very high degree of difficulty. Attacks against DHE key exchange is considered feasible but difficult. EC algorithms are not vulnerable. Node.js TLS servers using DHE key exchange are considered at highest risk although it is believed that Node.js' existing use of SSL_OP_SINGLE_DH_USE may make DHE attacks impractical. Details are available at http://openssl.org/news/secadv/20151203.txt.

OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users exposing TLS servers upgrade to patched versions as soon as practical.

  • Versions 0.10.x of Node.js are not affected.
  • Versions 0.12.x of Node.js are not affected.
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-3194 OpenSSL Certificate verify crash with missing PSS parameter

A bug exists in OpenSSL v1.0.1 and v1.0.2 that may cause a crash during certificate verification procedures when supplied with a malformed ASN.1 signature using the RSA PSS algorithm. This may be used as a the basis of a denial of service (DoS) attack against Node.js TLS servers using client authentication. Node.js TLS clients are also impacted if supplied with malformed certificates for verification. Details are available at http://openssl.org/news/secadv/20151203.txt.

OpenSSL v1.0.0 is used in Node.js v0.10.x and v0.12.x. OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users employing either TLS client or server code upgrade as soon as practical.

Note: Node.js users are not considered vulnerable to the two additional announced OpenSSL vulnerabilities: CVE-2015-3195 "X509_ATTRIBUTE memory leak" and CVE-2015-3196 "Race condition handling PSK identify hint". However, fixes for these bugs are included with the new versions of OpenSSL bundled with the newly patched versions of Node.js.

@rvagg rvagg closed this as completed Dec 4, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

No branches or pull requests

2 participants