Bug 1021170 - (CVE-2013-4450) CVE-2013-4450 NodeJS: HTTP Pipelining DoS
CVE-2013-4450 NodeJS: HTTP Pipelining DoS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1021171 1021172 1021173 1021174 1021175 1021176 1027287
Blocks: 1021177
  Show dependency treegraph
Reported: 2013-10-20 00:52 EDT by Kurt Seifried
Modified: 2014-07-04 23:27 EDT (History)
16 users (show)

See Also:
Fixed In Version: nodejs 0.10.21, nodejs 0.8.26
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-07-04 23:27:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-10-20 00:52:55 EDT
Timothy J Fontaine of the NodeJS reports the following security issue:

This release contains a security fix for the http server implementation, please
upgrade as soon as possible. Details will be released soon.

2013.10.18, Version 0.10.21 (Stable)

* http: provide backpressure for pipeline flood (isaacs)


Fixed upstream in version 0.10.21 and 0.8.26:

Comment 2 Kurt Seifried 2013-10-20 00:56:31 EDT
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1021171]
Affects: epel-6 [bug 1021172]
Comment 4 Vincent Danen 2013-10-21 11:01:56 EDT
For backporting, some patches are available:



And a decent technical overview can be found here:
Comment 5 Troy Dawson 2013-10-21 11:27:58 EDT
The 0.8.x patches go fairly cleanly into 0.6.20.
Looking at the code that is patched, I am fairly sure that 0.6.20 is vulnerable to this attack.  I'm also quite confident that the 0.8.x patch fixes the problem.
I have not tested either the vulnerability or the fix.
Comment 6 Stephen Gallagher 2013-10-21 11:30:59 EDT
Fedora has never shipped anything older than 0.10.x (well, the 0.9.x development branch), so I suspect figuring out if it applies to 0.6.x is pretty much academic.

I *think* Red Hat has also only ever shipped 0.10.x in Software Collections.
Comment 7 Jason DeTiberus 2013-10-21 11:41:34 EDT
0.6.x was shipped with OpenShift Enterprise and is in use by OpenShift Online.
Comment 8 Fedora Update System 2013-10-28 23:31:21 EDT
libuv-0.10.18-1.fc19, nodejs-0.10.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2013-10-28 23:35:57 EDT
libuv-0.10.18-1.fc18, nodejs-0.10.21-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Tomas Hoger 2013-11-06 08:14:36 EST
A test case for this issue is part of nodejs test suite:

Metasploit also includes a module for this issue:
Comment 11 Fedora Update System 2013-11-07 14:17:26 EST
libuv-0.10.18-1.el6, nodejs-0.10.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-11-10 02:46:15 EST
libuv-0.10.18-1.fc20, nodejs-0.10.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 errata-xmlrpc 2013-12-16 13:24:24 EST
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1842 https://rhn.redhat.com/errata/RHSA-2013-1842.html
Comment 14 Kurt Seifried 2014-07-04 23:16:44 EDT
OpenShift 2.1 uses SCL nodejs now, so removing from affected products.
Comment 15 Kurt Seifried 2014-07-04 23:22:30 EDT
nodejs 0.6 also appears to be vulnerable, the affected code:

in 0.10:
if (parser.socket.readable) {
// force to read the next incoming message

in 0.6:
if (parser.socket.readable) {
 // force to read the next incoming message
Comment 16 Kurt Seifried 2014-07-04 23:27:58 EDT

OpenShift Enterprise 1.2 is in a lifecycle phase that only provides Critical and Important security updates, as this issue is rated Moderate this issue will not be fixed. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/support/policy/updates/openshift.

Note You need to log in before you can comment on or make changes to this bug.