Bug 1516175 (CVE-2017-14919) - CVE-2017-14919 nodejs: DoS via specific windowBits value
Summary: CVE-2017-14919 nodejs: DoS via specific windowBits value
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-14919
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1516177 1516176 1525292 1525766 1525767
Blocks: 1516178
TreeView+ depends on / blocked
 
Reported: 2017-11-22 08:30 UTC by Andrej Nemec
Modified: 2021-02-17 01:13 UTC (History)
30 users (show)

Fixed In Version: nodejs 4.8.5, nodejs 6.11.5, nodejs 8.8.0
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-08 03:31:27 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2017-11-22 08:30:59 UTC 
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

External References:

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Comment 1 Andrej Nemec 2017-11-22 08:31:53 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1516177]
Affects: openshift-1 [bug 1516176]
Comment 2 Stefan Cornelius 2017-11-28 10:54:43 UTC 
Upstream bug report:
https://github.com/nodejs/node/issues/13082

Patch pull request:
https://github.com/nodejs/node/pull/13098


rh-nodejs6-nodejs and rh-nodejs8-nodejs contain the fixed code already. rh-nodejs4-nodejs does not, but we don't ship zlib 1.2.9, so it does not really matter for RHSCL/RHEL.
Comment 5 Jason Shepherd 2018-04-03 05:15:59 UTC 
Openshift Enterprise uses the RHSCL nodejs-4-rhel7 image which doesn't include zlib 1.2.9. Marking as not affected.
Note You need to log in before you can comment on or make changes to this bug.