Bug 1690808 (CVE-2019-5737)
Summary: | CVE-2019-5737 nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Dhananjay Arunesh <darunesh> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | ahardin, avibelli, bgeorges, bleanhar, ccoleman, dbeveniu, dedgar, eparis, hesilva, hhorak, jbalunas, jgoulding, jokerman, jorton, jpallich, krathod, lthon, mchappel, mrunge, mszynkie, nodejs-sig, pgallagh, rruss, sgallagh, tchollingsworth, thrcka, trogers, zsvetlik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs 6.17.0, nodejs 8.15.1, nodejs 10.15.2, nodejs 11.10.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-22 15:07:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1690814, 1690815, 1691548, 1711309, 1711310, 1721035, 1721036, 1721037, 1721038 | ||
Bug Blocks: | 1690811 |
Description
Dhananjay Arunesh
2019-03-20 09:48:34 UTC
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1690814] Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 1690815] Upstream Commit: https://github.com/nodejs/node/commit/1a7302bd48 External References: https://nodejs.org/ja/blog/vulnerability/february-2019-security-releases/ Mitigation: The use of a Load Balancer or a Reverse Proxy will increase the difficulty of the attack. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Via RHSA-2019:1821 https://access.redhat.com/errata/RHSA-2019:1821 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-5737 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2939 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:2939 https://access.redhat.com/errata/RHSA-2019:2925 |