FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

node.js -- multiple vulnerabilities

Affected packages
node6 < 6.14.3
node8 < 8.11.3
node < 10.4.1

Details

VuXML ID 45b8e2eb-7056-11e8-8fab-63ca6e0e13a2
Discovery 2018-06-12
Entry 2018-06-15

Node.js reports:

Denial of Service Vulnerability in HTTP/2 (CVE-2018-7161)

All versions of 8.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug where objects are used in native code after they are no longer available. This has been addressed by updating the http2 implementation. Thanks to Jordan Zebor at F5 Networks for reporting this issue.

Denial of Service, nghttp2 dependency (CVE-2018-1000168)

All versions of 9.x and later are vulnerable and the severity is HIGH. Under certain conditions, a malicious client can trigger an uninitialized read (and a subsequent segfault) by sending a malformed ALTSVC frame. This has been addressed through an by updating nghttp2.

Denial of Service Vulnerability in TLS (CVE-2018-7162)

All versions of 9.x and later are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node process which provides an http server supporting TLS server to crash. This can be accomplished by sending duplicate/unexpected messages during the handshake. This vulnerability has been addressed by updating the TLS implementation. Thanks to Jordan Zebor at F5 Networks all of his help investigating this issue with the Node.js team.

Memory exhaustion DoS on v9.x (CVE-2018-7164)

Versions 9.7.0 and later are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.

Calls to Buffer.fill() and/or Buffer.alloc() may hang (CVE-2018-7167)

Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases.

References

CVE Name CVE-2018-1000168
CVE Name CVE-2018-7161
CVE Name CVE-2018-7162
CVE Name CVE-2018-7164
CVE Name CVE-2018-7167
URL https://nghttp2.org/blog/2018/04/12/nghttp2-v1-31-1/
URL https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/