Bug 1021170 (CVE-2013-4450)

Summary: CVE-2013-4450 NodeJS: HTTP Pipelining DoS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bgollahe, bleanhar, ccoleman, dmcphers, drieden, jamielinux, jdetiber, jialiu, lmeyer, mmaslano, mmcgrath, mrunge, sgallagh, tchollingsworth, tdawson, thrcka
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20131018,reported=20131019,source=oss-security,cvss2=5.0/AV:N/AC:L/Au:N/C:N/I:N/A:P,rhscl-1/nodejs010-nodejs=affected,openshift-1/nodejs=affected,openshift-enterprise-1/nodejs=affected,fedora-all/nodejs=affected,epel-6/nodejs=affected
Fixed In Version: nodejs 0.10.21, nodejs 0.8.26 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-04 23:27:58 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1021171, 1021172, 1021173, 1021174, 1021175, 1021176, 1027287    
Bug Blocks: 1021177    

Description Kurt Seifried 2013-10-20 00:52:55 EDT
Timothy J Fontaine of the NodeJS reports the following security issue:

This release contains a security fix for the http server implementation, please
upgrade as soon as possible. Details will be released soon.

2013.10.18, Version 0.10.21 (Stable)

* http: provide backpressure for pipeline flood (isaacs)

https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0
https://github.com/joyent/node/issues/6214
https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692

Fixed upstream in version 0.10.21 and 0.8.26:

http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/
Comment 2 Kurt Seifried 2013-10-20 00:56:31 EDT
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1021171]
Affects: epel-6 [bug 1021172]
Comment 4 Vincent Danen 2013-10-21 11:01:56 EDT
For backporting, some patches are available:

0.10.x:
https://github.com/joyent/node/commit/b97c28f59ee898a81f0df988c249359c9b42701d

0.8.x:
https://github.com/joyent/node/commit/653d4db71f569ddc87a0bc21f5ecc5ceaf37f932

And a decent technical overview can be found here:
https://news.ycombinator.com/item?id=6575080
Comment 5 Troy Dawson 2013-10-21 11:27:58 EDT
The 0.8.x patches go fairly cleanly into 0.6.20.
Looking at the code that is patched, I am fairly sure that 0.6.20 is vulnerable to this attack.  I'm also quite confident that the 0.8.x patch fixes the problem.
I have not tested either the vulnerability or the fix.
Comment 6 Stephen Gallagher 2013-10-21 11:30:59 EDT
Fedora has never shipped anything older than 0.10.x (well, the 0.9.x development branch), so I suspect figuring out if it applies to 0.6.x is pretty much academic.

I *think* Red Hat has also only ever shipped 0.10.x in Software Collections.
Comment 7 Jason DeTiberus 2013-10-21 11:41:34 EDT
0.6.x was shipped with OpenShift Enterprise and is in use by OpenShift Online.
Comment 8 Fedora Update System 2013-10-28 23:31:21 EDT
libuv-0.10.18-1.fc19, nodejs-0.10.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-10-28 23:35:57 EDT
libuv-0.10.18-1.fc18, nodejs-0.10.21-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2013-11-06 08:14:36 EST
A test case for this issue is part of nodejs test suite:
https://github.com/joyent/node/blob/v0.10.21-release/test/simple/test-http-pipeline-flood.js

Metasploit also includes a module for this issue:
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/nodejs_pipelining.rb
Comment 11 Fedora Update System 2013-11-07 14:17:26 EST
libuv-0.10.18-1.el6, nodejs-0.10.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-11-10 02:46:15 EST
libuv-0.10.18-1.fc20, nodejs-0.10.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2013-12-16 13:24:24 EST
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1842 https://rhn.redhat.com/errata/RHSA-2013-1842.html
Comment 14 Kurt Seifried 2014-07-04 23:16:44 EDT
OpenShift 2.1 uses SCL nodejs now, so removing from affected products.
Comment 15 Kurt Seifried 2014-07-04 23:22:30 EDT
nodejs 0.6 also appears to be vulnerable, the affected code:

in 0.10:
if (parser.socket.readable) {
// force to read the next incoming message
 readStart(parser.socket);
}


in 0.6:
if (parser.socket.readable) {
 // force to read the next incoming message
 parser.socket.resume();
}
Comment 16 Kurt Seifried 2014-07-04 23:27:58 EDT
Statement:

OpenShift Enterprise 1.2 is in a lifecycle phase that only provides Critical and Important security updates, as this issue is rated Moderate this issue will not be fixed. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/support/policy/updates/openshift.