1591023 – (CVE-2018-7164) CVE-2018-7164 nodejs: uncontrolled memory consumption when using the net.Socket as a stream

Bug 1591023 (CVE-2018-7164) - CVE-2018-7164 nodejs: uncontrolled memory consumption when using the net.Socket as a stream

Summary: CVE-2018-7164 nodejs: uncontrolled memory consumption when using the net.Sock...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2018-7164
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1591024
Blocks:	1591010
TreeView+	depends on / blocked

Reported:	2018-06-13 22:37 UTC by Laura Pardo
Modified:	2020-11-05 10:32 UTC (History)
CC List:	30 users (show)
Fixed In Version:	nodejs 10.4.1, nodejs 9.11.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:29:00 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-06-13 22:37:05 UTC

A flaw was found in Node.js versions 9.7.0 and later and 10.x. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession.


References:
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

Comment 1 Laura Pardo 2018-06-13 22:37:47 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1591024]

Comment 2 Stephen Gallagher 2018-06-14 12:31:28 UTC

Where is the Fedora tracking bug for this?

Comment 3 Cedric Buissart 2018-06-29 09:37:24 UTC

In reply to comment 2:
> Where is the Fedora tracking bug for this?

Fedora-28 is shipped with nodejs-8.11.3-1.fc28, thus not affected. f-29 & rawhide are currently on nodejs-10.5.0 (https://apps.fedoraproject.org/packages/nodejs), which contains the fix, thus not affected either.
Is there really a need for a fedora tracking bug ?

Comment 4 Cedric Buissart 2018-06-29 09:50:37 UTC

's/really/still/'

Comment 5 Cedric Buissart 2018-06-29 11:37:27 UTC

upstream fix:
https://github.com/nodejs/node/commit/3217e8e66fa81e

Comment 8 Jason Shepherd 2018-09-04 04:16:09 UTC

This issue doesn't affect NodeJS 6, or 0.10 used by openshift-enterprise-10/logging-kibana and logging-auth-proxy respectively.

Note You need to log in before you can comment on or make changes to this bug.

ahardin
alessandro.polidori
athmanem
avibelli
bgeorges
bleanhar
ccoleman
dbeveniu
dedgar
hesilva
hhorak
jbalunas
jgoulding
jokerman
jorton
jpallich
jshepherd
krathod
lthon
mchappel
mrunge
mszynkie
nodejs-sig
pgallagh
rruss
sgallagh
tchollingsworth
thrcka
trogers
zsvetlik