Bug 1346910 (CVE-2016-5325)

Summary: CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abaron, abhgupta, apevec, avibelli, ayoung, bleanhar, cbuissar, ccoleman, chrisw, cvsbot-xmlrpc, dmcphers, gsterlin, hhorak, jbalunas, jialiu, jjoyce, jkeck, jokerman, jorton, jschluet, jshepherd, kbasil, lhh, lmeyer, lpeer, markmc, mmccomas, mrunge, nodejs-sig, piotr1212, rrajasek, sardella, sclewis, sgallagh, srevivo, tchollingsworth, tdawson, tdecacqu, thrcka, tiwillia, tkirby, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 6.7.0, nodejs 4.6.0, nodejs 0.12.16, nodejs 0.10.47 Doc Type: If docs needed, set a value
Doc Text:
It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:54:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1346912, 1346913, 1346914, 1382889, 1392914, 1392915, 1399557, 1399558, 1425562, 1470256, 1470257, 1470258, 1470259    
Bug Blocks: 1346916, 1394602    

Description Adam Mariš 2016-06-15 15:51:23 UTC 
An unspecified low-severity Node.js HTTP processing vulnerability was found and
will be fixed in latest update. Details are currently embargoed until new
releases are available.

https://nodejs.org/en/blog/vulnerability/june-2016-security-releases/
Comment 2 Adam Mariš 2016-06-15 15:53:08 UTC 
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1346913]
Affects: epel-all [bug 1346914]
Comment 3 Tomas Hoger 2016-09-28 12:25:08 UTC 
This issue is now public via September 2016 security releases:

CVE-2016-5325: reason argument in ServerResponse#writeHead() not properly validated

This is a low severity security defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses.

The fix for this defect introduces a new case where throw may occur when configuring HTTP responses. Users should already be adopting try/catch here.

This was originally reported independently by Evan Lucas and Romain Gaucher.

All versions of Node.js are affected.

External References:

https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Comment 4 Tomas Hoger 2016-09-28 12:26:22 UTC 
Upstream commit:

0.10.x
https://github.com/nodejs/node/commit/3614a173d0a0827bb9f7a1aa65bf9ccc9c7d6784

4.x
https://github.com/nodejs/node/commit/b5c57ff772aff6cdee79206a2d53da6c638cbd13
Comment 6 Kurt Seifried 2016-10-26 17:18:30 UTC 
Additional details:

CVE-2016-5325: reason argument in ServerResponse#writeHead() not properly validated

This is a low severity security defect that that may make HTTP response splitting possible under certain circumstances. If user-input is passed to the reason argument to writeHead() on an HTTP response, a new-line character may be used to inject additional responses.

The fix for this defect introduces a new case where throw may occur when configuring HTTP responses. Users should already be adopting try/catch here.

This was originally reported independently by Evan Lucas and Romain Gaucher.

All versions of Node.js are affected.

https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
Comment 7 errata-xmlrpc 2016-10-27 16:42:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.3
  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:2101 https://access.redhat.com/errata/RHSA-2016:2101
Comment 10 errata-xmlrpc 2017-01-02 15:56:33 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS

Via RHSA-2017:0002 https://rhn.redhat.com/errata/RHSA-2017-0002.html