Cloud Foundry Logo
blog single gear
Security Advisory

Multiple Node.js Vulnerabilities

Multiple Node.js Vulnerabilities

Severity

High

Vendor

Node.js

Versions Affected

  • Node.js:
    • 4.x versions prior to 4.8.4
    • 6.x versions prior to 6.11.1
    • 7.x versions prior to 7.10.1
    • 8.x versions prior to 8.1.4

Description

All current versions of v4.x through to v8.x inclusive are vulnerable to an issue that can be used by an external attacker to cause a denial of service. The severity of this vulnerability is high and users of the affected versions should plan to upgrade. [1]

The releases for the affected Node.js release lines have been updated to include the patches need to address the following issues in Node.js dependencies. These are all considered to be low severity for Node.js due to the limited impact or likelihood of exploit in the Node.js environment.

CVE-2017-1000381 – c-ares NAPTR parser out of bounds access

A security vulnerability has been discovered in the c-ares library that is bundled with all versions of Node.js. Parsing of NAPTR responses could be triggered to read memory outside of the given input buffer through carefully crafted DNS reponse packets. The patch recommended in CVE-2017-1000381 has been added to the version of c-ares in Node.js in these releases.

This is a low severity defect and affects all active release lines (4.x, 6.x and 8.x) as well as the 7.x line.

Affected Cloud Foundry Products and Versions

  • Node.js buildpack versions prior to v1.6.3
  • Ruby buildpack versions prior to v1.6.44
  • .NET Core buildpack versions prior to v1.0.22

Mitigation

Users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry version 269 or later [2] OR
  • Upgrade the individual buildpacks to the following versions and restage all applications that use automated buildpack detection:
    • Node.js buildpack v1.6.3 [3]
    • Ruby buildpack v1.6.44 [4]
    • .NET Core buildpack v1.0.22 [5]
  • Please Note: as of July 20, cf-release v269 has not yet been finalized. Cf-release v268 contains the updated buildpacks except for the Node.js buildpack.

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES