Bug 1306203 (CVE-2016-2216)

Summary: CVE-2016-2216 nodejs: Response splitting vulnerability using Unicode characters
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, abhgupta, ahardin, apevec, ayoung, bleanhar, cbuissar, ccoleman, chrisw, cvsbot-xmlrpc, dallan, dbaker, dedgar, dmcphers, gkotton, hhorak, jamielinux, jgoulding, jialiu, jjoyce, jkeck, joelsmith, jokerman, jorton, jrusnack, jschluet, kbasil, lhh, lmeyer, lpeer, markmc, mchappel, mmaslano, mmccomas, mrunge, nodejs-sig, rbryant, sclewis, sgallagh, srevivo, tchollingsworth, tdawson, tdecacqu, thrcka, tiwillia, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 0.10.42, nodejs 0.12.10, nodejs 4.3.0, nodejs 5.6.0 Doc Type: Bug Fix
Doc Text:
It was found that nodejs functions manipulating HTTP headers did not properly forbid invalid characters. An attacker with ability to tamper with HTTP headers could use this flaw to inject a new-line allowing a response splitting attack.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1306206, 1306207, 1306208, 1417961, 1417963    
Bug Blocks: 1306204    

Description Adam Mariš 2016-02-10 10:22:14 UTC
It was reported that HTTP header parsing in Node.js is vulnerable to response splitting attacks. While Node.js has been protecting against response splitting attacks by checking for CRLF characters, it is possible to compose response headers using Unicode characters that decompose to these characters, bypassing the checks previously in place.

External Reference:

https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/

Comment 2 Adam Mariš 2016-02-10 10:26:46 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1306207]
Affects: epel-all [bug 1306208]

Comment 4 Fedora Update System 2016-02-15 02:50:03 UTC
nodejs-0.10.42-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2016-02-22 20:50:34 UTC
nodejs-0.10.42-4.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-02-27 01:59:44 UTC
nodejs-0.10.42-4.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2016-02-27 02:06:56 UTC
nodejs-0.10.42-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Cedric Buissart 🐶 2016-11-22 10:39:00 UTC
Patches :
master branch : https://github.com/nodejs/node/commit/7bef1b7907
4.x branch : https://github.com/nodejs/node/commit/cf2b714b02
0.10.x branch : https://github.com/nodejs/node/commit/5c94624

Comment 11 Tomas Hoger 2016-11-23 18:59:21 UTC
(In reply to Ján Rusnačko from comment #3)
> Root cause analysis:
> 
> http://blog.safebreach.com/2016/02/09/http-response-splitting-in-node-js-
> root-cause-analysis/

The blog post has moved to:

https://safebreach.com/Post/HTTP-Response-Splitting-in-Node-js-Root-Cause-Analysis

Comment 15 Jason Shepherd 2018-04-03 04:50:16 UTC
Openshift Enterprise is pointed to latest RHSCL Node 4 image, which is 4.6.2. Marking as not afffected.