SummaryThe Node.js project will be releasing new versions across all of its active release lines early next week (possibly sooner, pending full impact assessment) to incorporate upstream patches from OpenSSL and some additional low-severity fixes relating to HTTP handling. Please read on for full details.
OpenSSLThe OpenSSL project
announced this week that they will be releasing versions 1.0.2f and 1.0.1r on the 28th of January, UTC. The releases will fix two security defects that are labelled as "high" severity under their
security policy, meaning they are:
... issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.
Node.js v0.10 and v0.12 both use OpenSSL v1.0.1 and Node.js v4 and v5 both use OpenSSL v1.0.2 and are normally statically compiled. Therefore, all active release lines are impacted by this update.
At this stage, due to embargo, it is uncertain the exact nature of these defects, nor what impact they will have on Node.js users.
Low-severity Node.js security fixesIn addition, we have some fixes to release relating to Node.js HTTP processing. We categorise these as low-severity and are not aware of any existing exploits leveraging the defects. Full details are embargoed until new releases are available.
Common Vulnerability Scoring System (CVSS) v3 Base Score:
| Metric | Score |
|-----------------------------|----------------------------|
| **Base Score:** | 4.8 (Medium) |
| **Base Vector:** | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
| **Attack Vector:** | Network (AV:N) |
| **Attack Complexity:** | High (AC:H) |
| **Privileges Required:** | None (PR:N) |
| **User Interaction:** | None (UI:N) |
| **Scope of Impact:** | Unchanged (S:U) |
| **Confidentiality Impact:** | Low (C:L) |
| **Integrity Impact:** | Low (I:L) |
| **Availability Impact:** | None (A:N) |Refer to the
CVSS v3 Specification for details on the meanings and application of the vector components.
ImpactBoth the OpenSSL updates and the Node.js fixes affect all actively maintained release lines of Node.js.
- Versions 0.10.x of Node.js are affected.
- Versions 0.12.x of Node.js are affected.
- Versions 4.x, including LTS Argon, of Node.js are affected.
- Versions 5.x of Node.js are affected.
Release timingAs the OpenSSL release is planned for late in the week, we are currently planning on deferring Node.js releases until early next week due to the complexity of the upgrade process and a preference for not releasing security fixes at the end of the work-week or on the weekend.
Releases will be available at, or shortly after,
Monday the 1st of February, 11pm UTC (Monday the 1st of February, 3pm Pacific Time) along with disclosure of the details defects to allow for complete impact assessment by users.
However, when details of the OpenSSL defects are released on the 28th, our crypto team will be making a more detailed assessment on the likely severity for Node.js users. In the event that the team determines that the fixes are critical in nature for Node.js users
we may choose to expedite releases for Friday or Saturday in order to ensure that users have the ability to protect their deployments against a disclosed vulnerability.
Please monitor the
nodejs-sec Google Group for updates, including a decision within 24 hours after the OpenSSL release regarding release timing, and full details of the defects upon eventual release:
https://groups.google.com/forum/#!topic/nodejs-sec
Contact and future updatesThe current Node.js security policy can be found at
https://nodejs.org/en/security/.
Please contact
secu...@nodejs.org if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only
nodejs-sec mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the
nodejs GitHub organisation.