1591006 – (CVE-2018-7167) CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters

Bug 1591006 (CVE-2018-7167) - CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters

Summary: CVE-2018-7167 nodejs: Denial of Service by calling Buffer.fill() or Buffer.al...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-7167
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1591007 1591008 1591009 1596637 1596638
Blocks:	1591010
TreeView+	depends on / blocked

Reported:	2018-06-13 22:05 UTC by Laura Pardo
Modified:	2021-01-15 12:29 UTC (History)
CC List:	37 users (show)
Fixed In Version:	nodejs 10.4.1, nodejs 9.11.2, nodejs 8.11.3, nodejs 6.14.3
Doc Type:	If docs needed, set a value
Doc Text:	It was found that the Buffer.fill() and Buffer.alloc() function may hang. An attacker able to control the input of these function could use this flaw to cause a denial of service.
Clone Of:
Environment:
Last Closed:	2021-01-15 12:29:22 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-06-13 22:05:52 UTC

A flaw was found in Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x. Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service.


References:
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

Comment 1 Laura Pardo 2018-06-13 22:06:53 UTC

Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 1591007]
Affects: fedora-all [bug 1591009]

Comment 4 Cedric Buissart 2018-06-28 13:45:05 UTC

Upstream fix:
https://github.com/nodejs/node/commit/7dbcfc6217

Comment 6 Jason Shepherd 2018-06-29 05:43:05 UTC

RHOAR NodeJS 10.4.1, has already been released with fixes for this issue.

Comment 12 Jason Shepherd 2018-08-07 04:43:19 UTC

While jenkins-slave-nodejs8 includes a vulnerable version of NodeJS 8, users are not able to affect other uses of the platform.

Comment 14 Jason Shepherd 2018-09-04 03:46:59 UTC

NodeJS 0.10 used by openshift-enterprise-3/logging-auth-proxy is not affected by this issue.

Comment 15 Jason Shepherd 2018-09-04 03:52:11 UTC

openshift-enterprise-3/logging-kibana doesn't make use of the code affected by this flaw

Comment 17 Cedric Buissart 2018-11-08 15:19:16 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2018:2949 https://access.redhat.com/errata/RHSA-2018:2949

Note You need to log in before you can comment on or make changes to this bug.

ahardin
athmanem
avibelli
bgeorges
bleanhar
cbuissar
ccoleman
cmacedo
dbeveniu
dedgar
dffrench
drusso
hesilva
hhorak
jbalunas
jgoulding
jmadigan
jokerman
jorton
jpallich
jshepherd
krathod
lgriffin
lthon
mchappel
mrunge
mszynkie
ngough
nodejs-sig
pgallagh
pwright
rruss
sgallagh
tchollingsworth
thrcka
trepel
zsvetlik