1879314 – (CVE-2020-8251) CVE-2020-8251 nodejs: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests

Bug 1879314 (CVE-2020-8251) - CVE-2020-8251 nodejs: Denial of Service by resource exhaustion CWE-400 due to unfinished HTTP/1.1 requests

Summary: CVE-2020-8251 nodejs: Denial of Service by resource exhaustion CWE-400 due to...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-8251
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1878549 1879332 1879333 1879334
Blocks:	1878541
TreeView+	depends on / blocked

Reported:	2020-09-16 01:16 UTC by Doran Moppert
Modified:	2021-04-19 13:51 UTC (History)
CC List:	13 users (show)
Fixed In Version:	nodejs 14.11.0
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in Node.js 14.x, in versions before 14.11, where it is vulnerable to a denial of service caused by delayed requests. When used as an edge server, this flaw allows an attacker to initiate a large number of HTTP requests, causing resource exhaustion and leaving the service unable to accept new connections. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-04-19 13:51:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Doran Moppert 2020-09-16 01:16:31 UTC

Node.js 14.x versions prior to 14.11 are vulnerable to a denial of service condition based on delayed requests.  When used as an edge server, an attacker can initiate but not complete a large number of HTTP requests causing resource exhaustion and rendering the server unable to accept new connections.

In 14.11 a new option "http.Server.requestTimeout" is introduced to mitigate this vulnerability.

Upstream advisory:

https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/

Comment 1 Doran Moppert 2020-09-16 02:59:17 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1879332]
Affects: fedora-all [bug 1879333]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1879334]

Comment 2 Cedric Buissart 2020-09-16 13:38:31 UTC

Upstream fix:
https://github.com/nodejs/node/commit/753f3b247ae2d24fee0b3f48b9ec3a5c308f0650

Comment 3 Jason Shepherd 2020-09-17 22:15:19 UTC

Statement:

NodeJS is included in Red Hat Quay as a dependency of Yarn which is only used while building Red Hat Quay, and not during runtime.

Note You need to log in before you can comment on or make changes to this bug.