Bug 1879314 (CVE-2020-8251)

Summary: CVE-2020-8251 nodejs: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: bdettelb, hhorak, jorton, kmullins, mrunge, nodejs-maint, nodejs-sig, scorneli, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 14.11.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js 14.x, in versions before 14.11, where it is vulnerable to a denial of service caused by delayed requests. When used as an edge server, this flaw allows an attacker to initiate a large number of HTTP requests, causing resource exhaustion and leaving the service unable to accept new connections. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-19 13:51:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1878549, 1879332, 1879333, 1879334    
Bug Blocks: 1878541    

Description Doran Moppert 2020-09-16 01:16:31 UTC 
Node.js 14.x versions prior to 14.11 are vulnerable to a denial of service condition based on delayed requests.  When used as an edge server, an attacker can initiate but not complete a large number of HTTP requests causing resource exhaustion and rendering the server unable to accept new connections.

In 14.11 a new option "http.Server.requestTimeout" is introduced to mitigate this vulnerability.

Upstream advisory:

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
Comment 1 Doran Moppert 2020-09-16 02:59:17 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1879332]
Affects: fedora-all [bug 1879333]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879334]
Comment 2 Cedric Buissart 2020-09-16 13:38:31 UTC 
Upstream fix:
https://github.com/nodejs/node/commit/753f3b247ae2d24fee0b3f48b9ec3a5c308f0650
Comment 3 Jason Shepherd 2020-09-17 22:15:19 UTC 
Statement:

NodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.