High-impact DoS flaw patched in Node.js, update as soon as possible
The Node.js Foundation has pushed out a patch for its eponymous open source, cross-platform runtime environment for developing server-side web applications. The fix plugs two security vulnerabilities, one of which is a high-impact DoS issue (CVE-2015-8027).
“This critical denial of service vulnerability impacts all versions of v0.12.x through to v5.x, inclusive,” the Foundation explained.
“The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.”
According to Or Wilder, a security researcher at Imperva, Node.js is very popular among new startups and companies that chose to use a ‘FullStack’ based web-environment, because it allows companies to accelerate web applications development. Node is also becoming more popular in large-scale organisations, and it is currently in use by companies like PayPal, Linkedin, and HP.
Over a week ago, the Foundation revealed the existence of the two flaws and announced that a patch for them will be pushed out this Wednesday (December 2).
Due to the fact that the OpenSSL project announced security updates for Thursday (December 3), and Node.js depends on OpenSSL, the Node.js Foundation decided to postpone their security releases to coincide with OpenSSL release availability, and so to release them on Friday (December 4).
“We’ve witnessed attackers leveraging all kinds of DoS vulnerabilities to attack web-based infrastructures; attackers tend to adjust their methods to the attacked platform. We’re likely to start seeing DoS attack attempts right after a vulnerability is publicly disclosed. Due to the high popularity on Node.JS, it will probably be incorporated into DoS attack tools,” noted Wilder.
“The vulnerability is an application level vulnerability, thus, infrastructures are not directly affected by it, however, attackers may use it to take-down servers with other services on them. Organisations with web-facing-applications that are heavily based on Node.JS would be vulnerable to this kind of attack. An attacker on a single machine would be able to completely take down those services. Although there is no publicly disclosed information regarding the vulnerability, our past experience shows that a vulnerable web service could be used to corrupt the entire service or other relying services.”