---------- Forwarded message ---------- From: Rod Vagg <rvagg> Date: Fri, Jul 3, 2015 at 8:47 PM Subject: NODE.JS SECURITY: Node.js v0.12.6 and io.js v2.3.3 To: security Bcc: tchollingsworth The Node.js Foundation TSC sincerely apologizes for the rushed handling of this security fix. Evening in the USA on the weekend of the 4th of July is not ideal and we would have preferred make a more measured response to this incident. We made the call to push forward because details about the bug and potential exploit has inadvertently made its way to a public forum. We decided that we would rather provide companies and users the tools to protect themselves and mitigate DoS attacks if they become a reality. If you are using Node.js v0.12 or any version if io.js please upgrade. Node.js v0.10 is not affected. * Node.js v0.12.6 is available at http://nodejs.org/dist/latest/ * io.js v2.3.3 is available at https://iojs.org/dist/latest/ * io.js v1.8.3 is available at https://iojs.org/dist/v1.8.3/ for any users still on v1.8. The quick summary of the bug: Kris Reeves and Trevor Norris pinpointed a bug in V8 in the way it decodes UTF strings. This impacts Node at `Buffer` to UTF8 `String` conversions and can cause a process to crash. The security concern comes from the fact that a lot of data from outside of an application is delivered to Node via this mechanism which means that users can potentially deliver specially crafted input data that can cause an application to crash when it goes through this path. We know that most networking and filesystem operations are impacted as would be many user-land uses of `Buffer` to UTF8 `String` conversion. We know that HTTP(S) header parsing is _not_ vulnerable because Node does not convert this data as UTF8. This is a small consolation because it restricts the way HTTP(S) can be exploited but there is more to HTTP(S) than header parsing obviously and we have confirmed that HTTP(S) is vulnerable via body parsing. We also have no information yet on how the various TLS terminators and forward-proxies in use may potentially mitigate against the form of data required for this exploit but it would be safe to assume that these are not a protective layer against a DoS attack. An initial ETA provided was midday PDT on the 3rd, that was based on the information we had available. Unfortunately, the patch was not quite ready and there was an extended test and verification process for V8, io.js and Node.js during the day. The builds also take some time on top of that, hence the delay. Fedor Indutny created the fix, Ben Noordhuis, Trevor Norris, Julien Gilli, Michael Dawson and Jeremiah Senkpiel all worked very hard to make this land successfully. If you have any further questions or concerns please contact us at security or respond to this email. - Node.js Foundation TSC -- This vulnerability does not affect the 0.10.x series shipped in Fedora, EPEL, and all Red Hat products that I am aware of. This is just a courtesy notice in case you all are using 0.12 or io.js anywhere.
NodeJS commit: https://github.com/joyent/node/commit/78b0e30954111cfaba0edbeee85450d8cbc6fdf6 Upstream V8 commit: https://chromium.googlesource.com/v8/v8.git/+/b199bcdd47ae97ec116b430e34ab42001c8f04c0%5E!/#F2
MITRE has assigned CVE-2015-5380 to this vulnerability.
OpenStack uses MongoDB which uses v8 on the back end, as such exploitation of this issue would be very difficult and the impact is limited.
Satellite, SAM and OpenShift are all affected minimally, exploitation is relatively difficult and the impact of exploitation is limited.
At this time, we have no additional z-streams planned for sat-6.5.z. Based upon that and that this is a low severity issue, closing this one as wontfix. Ref: https://access.redhat.com/support/policy/updates/satellite
Statement: This issue affects the versions of nodejs as shipped with various Red Hat Enterprise products. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. Red Hat Satellite 6.5 ship v8 however has been rated as a security impact of Moderate, product version Satellite 6.6 onward is not affected. Satellite 6.5 is in Maintenance Support phase of the product life cycle and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 6 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.