CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

[Rod Vagg]

CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

This announcement is for:

* CVE-2015-8027: a high-impact denial of service vulnerability
* CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability

CVE-2015-8027 Denial of Service Vulnerability

Description and CVSS Score

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are vulnerable.
• Versions 4.x, including LTS Argon, of Node.js are vulnerable.
• Versions 5.x of Node.js are vulnerable.

Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).

Common Vulnerability Scoring System (CVSS) v3 Base Score:

| Metric                      | Score                      |
|-----------------------------|----------------------------|
| **Base Score:**             | **7.5 (High)**             |
| **Base Vector:**            | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
| **Attack Vector:**          | Network (AV:N)             |
| **Attack Complexity:**      | Low (AC:L)                 |
| **Privileges Required:**    | None (PR:N)                |
| **User Interaction:**       | None (UI:N)                |
| **Scope of Impact:**        | Unchanged (S:U)            |
| **Confidentiality Impact:** | None (C:N)                 |
| **Integrity Impact:**       | None (I:N)                 |
| **Availability Impact:**    | High (A:H)                 |

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:R/CR:L/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-8027 is listed on the MITRE CVE dictionary and NIST NVD.


CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

Description and CVSS Score

An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users (see CVSS scoring below), but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are not affected.
• Versions 4.x, including LTS Argon, of Node.js are vulnerable.
• Versions 5.x of Node.js are vulnerable.

Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).

Common Vulnerability Scoring System (CVSS) v3 Base Score:

| Metric                      | Score                      |
|-----------------------------|----------------------------|
| **Base Score:**             | **4.4 (Medium)**           |
| **Base Vector:**            | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H
| **Attack Vector:**          | Network (AV:N)             |
| **Attack Complexity:**      | Medium (AC:H)              |
| **Privileges Required:**    | High (PR:H)                |
| **User Interaction:**       | None (UI:N)                |
| **Scope of Impact:**        | Unchanged (S:U)            |
| **Confidentiality Impact:** | None (C:N)                 |
| **Integrity Impact:**       | None (I:N)                 |
| **Availability Impact:**    | High (A:H)                 |

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-6764 is listed on the MITRE CVE dictionary and NIST NVD.

Action and updates

New releases of v0.12.x, v4.x and v5.x on Wednesday the 2nd of December 2015, UTC will be made available with appropriate fixes for CVE-2015-8027 and CVE-2015-6764 (for v4.x and v5.x only) along with disclosure of the details of the bug to allow for complete impact assessment by users.

Contact and future updates

Please contact secu...@nodejs.org if you wish to report a vulnerability in Node.js.

Please subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.

[Rod Vagg]

December Security Release Schedule Update

The OpenSSL project announced today that they will be releasing security updates for versions 1.0.2, 1.0.1, 1.0.0 and 0.9.8 on the 3rd of December UTC. The updates will fix a number of security defects, the highest of which is classified as "moderate" severity according to their severity scale:

MODERATE Severity. This includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.

Node.js versions v0.10.x and v0.12.x depend on OpenSSL v1.0.1 and versions v4.x (LTS Argon) and v5.x depend on OpenSSL v1.0.2. As the Node.js build process statically links OpenSSL into binaries, we will be required to release patch-level updates to all of our actively supported versions to include the upstream fixes. While we are unaware of the exact nature of the OpenSSL vulnerabilities being fixed, we must consider it likely that Node.js releases will be required in order to protect users.

Since the OpenSSL release schedule is two days after our announced updates for v0.12.x, v4.x and v5.x, we have decided to postpone our security releases to coincide with OpenSSL release availability. We will also be including v0.10.x in our set of releases.

Therefore, we are moving our planned security releases for Node.js from Wednesday the 2nd of December 2015, UTC to the Friday, the 4th of December 2015, UTC (Thursday the 3rd of December US time). We understand that the timing of this during the work-week is unfortunate but we must take into account the possibility of introducing a vulnerability gap between disclosure of OpenSSL vulnerabilities and patched releases by Node.js and therefore must respond as quickly as practical. Please be aware that patching and testing of OpenSSL updates is a non-trivial exercise and there will be significant delay after the OpenSSL releases before we can be confident that Node.js builds are stable and suitable for release.

An updated summary of the release inclusions is available below:

---

CVE-2015-8027 Denial of Service Vulnerability

A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high and users of the affected versions should plan to upgrade when a fix is made available.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are vulnerable.
• Versions 4.x, including LTS Argon, of Node.js are vulnerable.
• Versions 5.x of Node.js are vulnerable.

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users, but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are not affected.
• Versions 4.x, including LTS Argon, of Node.js are vulnerable.
• Versions 5.x of Node.js are vulnerable.

OpenSSL Moderate Severity Update

The OpenSSL project has announced a set of releases which contain fixes for multiple vulnerabilities, the highest severity being labelled "moderate". Consult the OpenSSL security policy for details on this definition. New releases of all actively maintained Node.js release lines are required in order to protect users against potential vulnerabilities in their applications. We do not have details on the nature of any of the included vulnerabilities or their fixes, users should plan for upgrades as soon as practical.

• Versions 0.10.x of Node.js may be vulnerable.
• Versions 0.12.x of Node.js may be vulnerable.
• Versions 4.x, including LTS Argon, of Node.js may be vulnerable.
• Versions 5.x of Node.js may be vulnerable.

[Rod Vagg]

December Security Release Summary

Last week we announced the planned release of patch updates to the v0.12.x, v4.x and v5.x lines to fix two vulnerabilities. That was further amended by the announcement of OpenSSL updates with fixes for vulnerabilities labelled medium severity. The OpenSSL update impacts all active release lines, including v0.10.x.

Today we have released Node.js v0.10.41 (Maintenance), v0.12.9 (LTS), v4.2.3 "Argon" (LTS) and v5.1.1 (Stable) with fixes for the announced vulnerabilities and updates to OpenSSL.

For the purpose of understanding the impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances we are providing details below.

CVE-2015-8027 Denial of Service Vulnerability

This critical denial of service (DoS) vulnerability impacts all versions of v0.12.x through to v5.x, inclusive. The vulnerability was discovered by Node.js core team member Fedor Indutny and relates to HTTP pipelining. Under certain conditions an HTTP socket may no longer have a parser associated with it but a pipelined request can trigger a pause or resume on the non-existent parser thereby causing an uncaughtException to be thrown. As these conditions can be created by an external attacker and cause a Node.js service to be shut down we consider this a critical vulnerability. It is recommended that users of impacted versions of Node.js exposing HTTP services upgrade to the appropriate patched versions as soon as practical.

• Versions 0.10.x of Node.js are not affected.

• Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
• Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
• Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-6764 V8 Out-of-bounds Access Vulnerability

A bug was discovered in V8's implementation of JSON.stringify() that can result in out-of-bounds reads on arrays. The patch was included in this week's update of Chrome Stable. While this bug is high severity for browsers, it is considered lower risk for Node.js users as it requires the execution of third-party JavaScript within an application in order to be exploitable.

Node.js users who expose services that process untrusted user-supplied JavaScript are at obvious risk. However, we recommend that all users of impacted versions of Node.js upgrade to the appropriate patched version in order to protect against malicious third-party JavaScript that may be executed within a Node.js process by other means.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are not affected.

• Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
• Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-3193 OpenSSL BN_mod_exp may produce incorrect results on x86_64

A bug exists in OpenSSL v1.0.2 in the Montgomery squaring procedure on the x64 architecture that expose potential attack vectors. Attacks against RSA and DSA are considered possible but with a very high degree of difficulty. Attacks against DHE key exchange is considered feasible but difficult. EC algorithms are not vulnerable. Node.js TLS servers using DHE key exchange are considered at highest risk although it is believed that Node.js' existing use of SSL_OP_SINGLE_DH_USE may make DHE attacks impractical. Details are available at http://openssl.org/news/secadv/20151203.txt.

OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users exposing TLS servers upgrade to patched versions as soon as practical.

• Versions 0.10.x of Node.js are not affected.
• Versions 0.12.x of Node.js are not affected.

• Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
• Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

CVE-2015-3194 OpenSSL Certificate verify crash with missing PSS parameter

A bug exists in OpenSSL v1.0.1 and v1.0.2 that may cause a crash during certificate verification procedures when supplied with a malformed ASN.1 signature using the RSA PSS algorithm. This may be used as a the basis of a denial of service (DoS) attack against Node.js TLS servers using client authentication. Node.js TLS clients are also impacted if supplied with malformed certificates for verification. Details are available at http://openssl.org/news/secadv/20151203.txt.

OpenSSL v1.0.0 is used in Node.js v0.10.x and v0.12.x. OpenSSL v1.0.2 is used in Node.js v4.x LTS and v5.x. It is strongly recommended that Node.js users employing either TLS client or server code upgrade as soon as practical.

• Versions 0.10.x of Node.js are vulnerable, please upgrade to v0.10.41 (Maintenance).
• Versions 0.12.x of Node.js are vulnerable, please upgrade to v0.12.9 (LTS).
• Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade to v4.2.3 "Argon" (LTS).
• Versions 5.x of Node.js are vulnerable, please upgrade to v5.1.1 (Stable).

Note: Node.js users are not considered vulnerable to the two additional announced OpenSSL vulnerabilities: CVE-2015-3195 "X509_ATTRIBUTE memory leak" and CVE-2015-3196 "Race condition handling PSK identify hint". However, fixes for these bugs are included with the new versions of OpenSSL bundled with the newly patched versions of Node.js.