DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports
Events Video Library
Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
View Events Video Library
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Integrating PostgreSQL Databases with ANF: Join this workshop to learn how to create a PostgreSQL server using Instaclustr’s managed service

Mobile Database Essentials: Assess data needs, storage requirements, and more when leveraging databases for cloud and edge applications.

Monitoring and Observability for LLMs: Datadog and Google Cloud discuss how to achieve optimal AI model performance.

Automated Testing: The latest on architecture, TDD, and the benefits of AI and low-code tools.

Related

  • Legacy Code Refactoring: Tips, Steps, and Best Practices
  • Top DevOps Career Opportunities in 2022
  • Creating a Secure REST API in Node.js
  • Navigating Kubernetes With Helm 3 Charts and ChartCenter

Trending

  • Vector Database: A Beginner's Guide
  • Supercharge Your Communication With Twilio and Ballerina
  • Setting up Request Rate Limiting With NGINX Ingress
  • 12 Agile Principles for Successful Agile Development Practices
  1. DZone
  2. Coding
  3. JavaScript
  4. Node.js Security Release Summary

Node.js Security Release Summary

In light of the recent discovery of a number of Node.js vulnerabilities, we offer a comprehensive list of steps to take to secure you web app.

Tierney Cyren user avatar by
Tierney Cyren
·
Jul. 12, 17 · News
Like (3)
Save
Tweet
Share
3.81K Views

Join the DZone community and get the full member experience.

Join For Free

On July 11th, Michael Dawson announced expected updates to the Node.js 4, 6, 7 and 8 release lines. The possibility of a Denial of Service vulnerability in all release lines from 4.x to 8.x was shared at this time.

Additionally, two other security patches were included, one applicable to all Node.js releases (not just active release lines, but all versions) in a dependency of the project and another that's exclusively applicable to the Node.js 4 release line.

At the time of publishing, the security vulnerabilities have been patched and released. The patched versions for each release line are:

  • Node.js 8.1.4
  • Node.js 7.10.1
  • Node.js 6.11.1
  • Node.js 4.8.4

To understand the full impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, you can find details of the releases below. At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.

Node.js Security Impact Assessment

CVE Pending: Constant Hashtable Seeds

  • Impact Level: High
  • Affected Node.js Versions:4.x, 6.x, 7.x, 8.x

As a result of building Node.js with V8 snapshots enabled by default, initially, randomized HashTable seeds were overwritten in the Node.js build process for each released version of Node.js. This minor error resulted in Node.js being susceptible to remote DNS attacks via hash flooding.

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

This vulnerability was reported by Jann Horn of Google Project Zero. 

Affected Versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.1.
  • The Node.js 7 release line is affected. Please upgrade to Node.js 7.10.1 or move on to 8.1.4 due to Node.js 7's current EOL status.
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.1.4.

CVE-2017-1000381: c-ares NAPTR Parser Out of Bounds Access

  • Impact Level: Low
  • Affected Node.js Versions:4.x, 6.x, 7.x, 8.x

A security vulnerability in c-ares, applicable to all versions of Node.js, has been discovered and disclosed in CVE-2017-1000381.

This vulnerability allowed reading memory outside a given input buffer through specifically crafted DNS response packages via parsing of NAPTR responses. The patch is recommended in the CVE in all currently active Node.js release lines, in addition to Node.js 7.

Affected Versions of Node.js:

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.1.
  • The Node.js 7 release line is affected. Please upgrade to Node.js 7.10.1 or move on to 8.1.4 due to Node.js 7's current EOL status.
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.1.4.

Node.js 4 Argon LTS: http.get() With Numeric Authorization Options Creates Uninitialized Buffers

  • Impact Level: Low
  • Affected Node.js Versions:4.x

Instances, where http.get() was used in applications running on Node.js 4.x that allowed the auth field to be set with a number, could result in uninitialized buffers to be created and used as the method's authentication string.

This has been patched in Node.js 4.x as of 4.8.4 - you can now expect a TypeError to be thrown if the auth field is a number when the http.get() method is called.
Parsing of the auth field has been updated in the 4.x release so that a TypeError will be thrown if the auth field is a number when http.get() is called.

Affected Versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • Stay Secure With Node.js

    For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for the modules that they rely on to run mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as an Architecture Evaluation to make sure that when you need help with Node.js, you can have someone to call.

    Node.js Release (agency) security

    Published at DZone with permission of Tierney Cyren, DZone MVB. See the original article here.

    Opinions expressed by DZone contributors are their own.

    Related

    • Legacy Code Refactoring: Tips, Steps, and Best Practices
    • Top DevOps Career Opportunities in 2022
    • Creating a Secure REST API in Node.js
    • Navigating Kubernetes With Helm 3 Charts and ChartCenter

    Comments

    Partner Resources

    X

    ABOUT US

    • About DZone
    • Send feedback
    • Careers
    • Sitemap

    ADVERTISE

    • Advertise with DZone

    CONTRIBUTE ON DZONE

    • Article Submission Guidelines
    • Become a Contributor
    • Visit the Writers' Zone

    LEGAL

    • Terms of Service
    • Privacy Policy

    CONTACT US

    • 3343 Perimeter Hill Drive
    • Suite 100
    • Nashville, TN 37211
    • support@dzone.com

    Let's be friends: