BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ
News Articles Presentations Podcasts Guides

Topics

Choose your language

InfoQ Dev Summit Boston

Discover transformative insights to level up your software development decisions. Register now with early bird tickets.
InfoQ Dev Summit Munich

Get practical advice from senior developers to navigate your current dev challenges. Register now with early bird tickets.
QCon San Francisco

Level up your software skills by uncovering the emerging trends you should focus on. Register now.
The Software Architects' Newsletter

Your monthly guide to all the topics, technologies and techniques that every professional needs to know about. Subscribe for free.

InfoQ Homepage News Security Release for DOS Vulnerability in Node.js

Web Development

Security Release for DOS Vulnerability in Node.js

Bookmarks

Dec 01, 2015 1 min read

InfoQ Article Contest

Share your knowledge Win a ticket to a QCon event
or an InfoQ Dev SummitFind out more

The Node.js Foundation has announced vulnerabilities in Node.js where attackers could cause a denial of service.

In the post CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability Rod Vagg, director of the foundation's Technical Steering Committee, gave initial details of two separate vulnerabilities.

CVE-2015-8027 is described as "a high-impact denial of service vulnerability", and CVE-2015-6764 as "a low-impact V8 out-of-bounds access vulnerability." Vagg elaborated on the high impact of CVE-2015-8027, saying:

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high and users of the affected versions should plan to upgrade when a fix is made available.

Node.js' own security update has been postponed to coincide with security updates announced by the OpenSSL project. The project's moderate severity vulnerabilities may affect all versions from 0.10.x to 5.0.

Commenting on the planned updates for Node.js, in the post December Security Release Schedule Update, Vagg said the team needed to consider "the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js." To prevent this Node's update will be made on December 4: two days later than originally planned.

"Patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release," Vagg said.

The out-of-bounds Access Vulnerability identified in CVE-2015-6764 affects all versions of Node.js v4.x and v5.x. The medium-severity issue can give attackers the ability "to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application."

Node.js is closely reliant on OpenSSL, with versions v0.10.x and v0.12.x dependent on OpenSSL v1.0.1, and versions v4.x (LTS Argon) and v5.x on OpenSSL v1.0.2. Vagg says because OpenSSL is statically linked into binaries in the Node.js build process there will be "new releases of all actively maintained Node.js release lines" to protect users against potential vulnerabilities.

The OpenSSL project will no longer be releasing security updates for 1.0.0 and 0.9.8 releases from the end of this year.

Rate this Article

Adoption
Style

This content is in the Web Development topic

Related Topics:
BT