Bug 1591023 (CVE-2018-7164) - CVE-2018-7164 nodejs: uncontrolled memory consumption when using the net.Socket as a stream
Summary: CVE-2018-7164 nodejs: uncontrolled memory consumption when using the net.Sock...
Status: CLOSED NOTABUG
Alias: CVE-2018-7164
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180612,repor...
Keywords: Security
Depends On: 1591024
Blocks: 1591010
TreeView+ depends on / blocked
 
Reported: 2018-06-13 22:37 UTC by Laura Pardo
Modified: 2019-06-10 10:29 UTC (History)
31 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2019-06-10 10:29:00 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-06-13 22:37:05 UTC
A flaw was found in Node.js versions 9.7.0 and later and 10.x. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession.


References:
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

Comment 1 Laura Pardo 2018-06-13 22:37:47 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1591024]

Comment 2 Stephen Gallagher 2018-06-14 12:31:28 UTC
Where is the Fedora tracking bug for this?

Comment 3 Cedric Buissart 🐶 2018-06-29 09:37:24 UTC
In reply to comment 2:
> Where is the Fedora tracking bug for this?

Fedora-28 is shipped with nodejs-8.11.3-1.fc28, thus not affected. f-29 & rawhide are currently on nodejs-10.5.0 (https://apps.fedoraproject.org/packages/nodejs), which contains the fix, thus not affected either.
Is there really a need for a fedora tracking bug ?

Comment 4 Cedric Buissart 🐶 2018-06-29 09:50:37 UTC
's/really/still/'

Comment 5 Cedric Buissart 🐶 2018-06-29 11:37:27 UTC
upstream fix:
https://github.com/nodejs/node/commit/3217e8e66fa81e

Comment 8 Jason Shepherd 2018-09-04 04:16:09 UTC
This issue doesn't affect NodeJS 6, or 0.10 used by openshift-enterprise-10/logging-kibana and logging-auth-proxy respectively.


Note You need to log in before you can comment on or make changes to this bug.