Node.js is facing two security vulnerabilities, including a potentially
major denial-of-service issue, with patches for the problems not
available for a week. Releases of Node.js ranging from 0.12 to version 5
are vulnerable to one or both issues.
A bulletin issued today by the Node.js Foundation, which has
jurisdiction over the popular server-side JavaScript platform,
covers "a high-impact denial-of-service vulnerability" and a
"low-impact V8 out-of-bounds access vulnerability." V8 is the
Google-developed JavaScript engine leveraged by Node.js. Officially, the
DoS issue is labeled as CVE (Common Vulnerabilities and Exposures)
2015-8027, while the access problem is identified as CVE-2015-6764.
"We have two previously undisclosed vulnerabilities. One's not that a
big deal [the out-of-bound access issue], one's a slightly bigger deal,"
said Mikeal Rogers, community manager for the foundation. "Both will be
fixed on Wednesday (December 2)" via patches that will be available at
Nodejs.org. Rogers said these vulnerabilities had not been exploited.
The bulletin describes the DoS vulnerability as widespread among Node
versions. "A bug exists in Node.js, all versions of v0.12.x through to
v5.x inclusive, whereby an external attacker can cause a denial of
service. The severity of this issue is high, and users of the affected
versions should plan to upgrade when a fix is made available."
The out-of-bounds vulnerability description is less dire. "An additional
bug exists in Node.js, all versions of v4.x and v5.x, whereby an
attacker may be able to trigger an out-of-bounds access and/or denial of
service if user-supplied JavaScript can be executed by an application.
The severity of this issue is considered medium for Node.js users, but
only under circumstances where an attacker may cause user-supplied
JavaScript to be executed within a Node.js application. Fixes will be
shipped for the v4.x and v5.x release lines along with fixes for
CVE-2015-8027." The 0.10x and 0.12x lines are not affected.
Despite the seriousness of the security issues, Node representatives
stressed that users shouldn't be worried. The threat to the community is
"minimal," Rogers said. "In fact, we already have fixes for both. It is
a routine part of our security policy, which we take seriously, to
inform our community of vulnerabilities, and then give them time to plan
for an upgrade."
Rogers said Node.js security is under more scrutiny since the formation
of the foundation, which is affiliated with the Linux Foundation. "We
have much more formal and proper security policy now."
This story, "Node.js discloses two critical security vulnerabilities" was originally published by
InfoWorld.
Comments
Post a Comment