Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Node.js Security Release Summary

DZone's Guide to

Node.js Security Release Summary

In light of the recent discovery of a number of Node.js vulnerabilities, we offer a comprehensive list of steps to take to secure you web app.

· Web Dev Zone
Free Resource

Get deep insight into Node.js applications with real-time metrics, CPU profiling, and heap snapshots with N|Solid from NodeSource. Learn more.

On July 11th, Michael Dawson announced expected updates to the Node.js 4, 6, 7 and 8 release lines. The possibility of a Denial of Service vulnerability in all release lines from 4.x to 8.x was shared at this time.

Additionally, two other security patches were included, one applicable to all Node.js releases (not just active release lines, but all versions) in a dependency of the project and another that's exclusively applicable to the Node.js 4 release line.

At the time of publishing, the security vulnerabilities have been patched and released. The patched versions for each release line are:

  • Node.js 8.1.4
  • Node.js 7.10.1
  • Node.js 6.11.1
  • Node.js 4.8.4

To understand the full impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, you can find details of the releases below. At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.

Node.js Security Impact Assessment

CVE Pending: Constant Hashtable Seeds

  • Impact Level: High
  • Affected Node.js Versions:4.x, 6.x, 7.x, 8.x

As a result of building Node.js with V8 snapshots enabled by default, initially, randomized HashTable seeds were overwritten in the Node.js build process for each released version of Node.js. This minor error resulted in Node.js being susceptible to remote DNS attacks via hash flooding.

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

This vulnerability was reported by Jann Horn of Google Project Zero. 

Affected Versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.1.
  • The Node.js 7 release line is affected. Please upgrade to Node.js 7.10.1 or move on to 8.1.4 due to Node.js 7's current EOL status.
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.1.4.

CVE-2017-1000381: c-ares NAPTR Parser Out of Bounds Access

  • Impact Level: Low
  • Affected Node.js Versions:4.x, 6.x, 7.x, 8.x

A security vulnerability in c-ares, applicable to all versions of Node.js, has been discovered and disclosed in CVE-2017-1000381.

This vulnerability allowed reading memory outside a given input buffer through specifically crafted DNS response packages via parsing of NAPTR responses. The patch is recommended in the CVE in all currently active Node.js release lines, in addition to Node.js 7.

Affected Versions of Node.js:

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.1.
  • The Node.js 7 release line is affected. Please upgrade to Node.js 7.10.1 or move on to 8.1.4 due to Node.js 7's current EOL status.
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.1.4.

Node.js 4 Argon LTS: http.get() With Numeric Authorization Options Creates Uninitialized Buffers

  • Impact Level: Low
  • Affected Node.js Versions:4.x

Instances, where http.get() was used in applications running on Node.js 4.x that allowed the auth field to be set with a number, could result in uninitialized buffers to be created and used as the method's authentication string.

This has been patched in Node.js 4.x as of 4.8.4 - you can now expect a TypeError to be thrown if the auth field is a number when the http.get() method is called.
Parsing of the auth field has been updated in the 4.x release so that a TypeError will be thrown if the auth field is a number when http.get() is called.

Affected Versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • Stay Secure With Node.js

    For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for the modules that they rely on to run mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as an Architecture Evaluation to make sure that when you need help with Node.js, you can have someone to call.

    Node.js application metrics sent directly to any statsd-compliant system. Get N|Solid

    Topics:
    web dev ,web application security ,node.js

    Published at DZone with permission of Tierney Cyren, DZone MVB. See the original article here.

    Opinions expressed by DZone contributors are their own.

    {{ parent.title || parent.header.title}}

    {{ parent.tldr }}

    {{ parent.urlSource.name }}