Bug 1021170 (CVE-2013-4450) - CVE-2013-4450 NodeJS: HTTP Pipelining DoS
Summary: CVE-2013-4450 NodeJS: HTTP Pipelining DoS
Alias: CVE-2013-4450
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1021171 1021172 Engineering1021173 Red Hat1021174 Red Hat1021175 Red Hat1021176 Engineering1027287
Blocks: Embargoed1021177
TreeView+ depends on / blocked
Reported: 2013-10-20 04:52 UTC by Kurt Seifried
Modified: 2021-02-17 07:14 UTC (History)
15 users (show)

Fixed In Version: nodejs 0.10.21, nodejs 0.8.26
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-07-05 03:27:58 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1842 0 normal SHIPPED_LIVE Moderate: nodejs010-nodejs security update 2013-12-16 23:21:53 UTC

Description Kurt Seifried 2013-10-20 04:52:55 UTC
Timothy J Fontaine of the NodeJS reports the following security issue:

This release contains a security fix for the http server implementation, please
upgrade as soon as possible. Details will be released soon.

2013.10.18, Version 0.10.21 (Stable)

* http: provide backpressure for pipeline flood (isaacs)


Fixed upstream in version 0.10.21 and 0.8.26:


Comment 2 Kurt Seifried 2013-10-20 04:56:31 UTC
Created nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1021171]
Affects: epel-6 [bug 1021172]

Comment 4 Vincent Danen 2013-10-21 15:01:56 UTC
For backporting, some patches are available:



And a decent technical overview can be found here:

Comment 5 Troy Dawson 2013-10-21 15:27:58 UTC
The 0.8.x patches go fairly cleanly into 0.6.20.
Looking at the code that is patched, I am fairly sure that 0.6.20 is vulnerable to this attack.  I'm also quite confident that the 0.8.x patch fixes the problem.
I have not tested either the vulnerability or the fix.

Comment 6 Stephen Gallagher 2013-10-21 15:30:59 UTC
Fedora has never shipped anything older than 0.10.x (well, the 0.9.x development branch), so I suspect figuring out if it applies to 0.6.x is pretty much academic.

I *think* Red Hat has also only ever shipped 0.10.x in Software Collections.

Comment 7 Jason DeTiberus 2013-10-21 15:41:34 UTC
0.6.x was shipped with OpenShift Enterprise and is in use by OpenShift Online.

Comment 8 Fedora Update System 2013-10-29 03:31:21 UTC
libuv-0.10.18-1.fc19, nodejs-0.10.21-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2013-10-29 03:35:57 UTC
libuv-0.10.18-1.fc18, nodejs-0.10.21-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Tomas Hoger 2013-11-06 13:14:36 UTC
A test case for this issue is part of nodejs test suite:

Metasploit also includes a module for this issue:

Comment 11 Fedora Update System 2013-11-07 19:17:26 UTC
libuv-0.10.18-1.el6, nodejs-0.10.21-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2013-11-10 07:46:15 UTC
libuv-0.10.18-1.fc20, nodejs-0.10.21-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 errata-xmlrpc 2013-12-16 18:24:24 UTC
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1842 https://rhn.redhat.com/errata/RHSA-2013-1842.html

Comment 14 Kurt Seifried 2014-07-05 03:16:44 UTC
OpenShift 2.1 uses SCL nodejs now, so removing from affected products.

Comment 15 Kurt Seifried 2014-07-05 03:22:30 UTC
nodejs 0.6 also appears to be vulnerable, the affected code:

in 0.10:
if (parser.socket.readable) {
// force to read the next incoming message

in 0.6:
if (parser.socket.readable) {
 // force to read the next incoming message

Comment 16 Kurt Seifried 2014-07-05 03:27:58 UTC

OpenShift Enterprise 1.2 is in a lifecycle phase that only provides Critical and Important security updates, as this issue is rated Moderate this issue will not be fixed. For additional information, refer to the Red Hat OpenShift Enterprise Life Cycle: https://access.redhat.com/support/policy/updates/openshift.

Note You need to log in before you can comment on or make changes to this bug.