|
1 | 1 | --- |
2 | | -date: 2019-08-13T21:30:00.000Z |
| 2 | +date: 2019-08-15TXX:XX:00.000Z |
3 | 3 | category: vulnerability |
4 | 4 | title: August 2019 Security Releases |
5 | 5 | slug: august-2019-security-releases |
6 | 6 | layout: blog-post.hbs |
7 | 7 | author: Sam Roberts |
8 | 8 | --- |
9 | 9 |
|
10 | | -# Summary |
11 | | - |
12 | | -The Node.js project will release new versions of all supported release lines |
13 | | -on, or shortly after, Thursday, August 15th, 2019 UTC. These releases will |
14 | | -incorporate security fixes to HTTP/2 Denial of Service vulnerabilities in |
15 | | -Node.js, the highest severity of which is HIGH. |
16 | | - |
17 | | -The Denial of Service vulnerabilities to be fixed are common to a broad range |
18 | | -of HTTP/2 implementations. Details about them were publicly disclosed on August |
19 | | -13th, 2019. See |
| 10 | +Node.js, as well as many other implementations of HTTP/2, have been found |
| 11 | +vulnerable to Denial of Service attacks. See |
20 | 12 | https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md |
21 | 13 | for more information. |
22 | 14 |
|
23 | | -## Impact |
| 15 | +Updates are now available for all active Node.js release lines. |
| 16 | + |
| 17 | +We recommend that all Node.js users upgrade to a version listed below as soon |
| 18 | +as possible. |
| 19 | + |
| 20 | +## Downloads & release details |
| 21 | + |
| 22 | +Downloads are available for the following versions. Details of code changes can |
| 23 | +also be found on each release page. |
| 24 | + |
| 25 | +* Node.js 8.17.0: https://nodejs.org/dist/latest-v8.x/ |
| 26 | +* Node.js 10.17.0: https://nodejs.org/dist/latest-v10.x/ |
| 27 | +* Node.js 12.8.1: https://nodejs.org/dist/latest-v12.x |
24 | 28 |
|
25 | | -Releases for all actively supported release lines (Node.js 8, 10, and 12) will |
26 | | -be made available to fix the disclosed HTTP/2 vulnerabilities. |
| 29 | +## Vulnerabilities Fixed |
27 | 30 |
|
28 | | -## Release timing |
| 31 | +***Impact***: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following: |
29 | 32 |
|
30 | | -Releases will be available at, or shortly after, Thursday, August 15th, 2019 |
31 | | -UTC, along with disclosure of the details for the flaws addressed in each |
32 | | -release in order to allow for complete impact assessment by users. |
| 33 | +* __CVE-2019-9511 “Data Dribble”__: The attacker requests a large amount of |
| 34 | + data from a specified resource over multiple streams. They manipulate window |
| 35 | + size and stream priority to force the server to queue the data in 1-byte |
| 36 | + chunks. Depending on how efficiently this data is queued, this can consume |
| 37 | + excess CPU, memory, or both, potentially leading to a denial of service. |
| 38 | +* __CVE-2019-9512 “Ping Flood”__: The attacker sends continual pings to an |
| 39 | + HTTP/2 peer, causing the peer to build an internal queue of responses. |
| 40 | + Depending on how efficiently this data is queued, this can consume excess |
| 41 | + CPU, memory, or both, potentially leading to a denial of service. |
| 42 | +* __CVE-2019-9513 “Resource Loop”__: The attacker creates multiple request |
| 43 | + streams and continually shuffles the priority of the streams in a way that |
| 44 | + causes substantial churn to the priority tree. This can consume excess CPU, |
| 45 | + potentially leading to a denial of service. |
| 46 | +* __CVE-2019-9514 “Reset Flood”__: The attacker opens a number of streams and |
| 47 | + sends an invalid request over each stream that should solicit a stream of |
| 48 | + RST_STREAM frames from the peer. Depending on how the peer queues the |
| 49 | + RST_STREAM frames, this can consume excess memory, CPU, or both, potentially |
| 50 | + leading to a denial of service. |
| 51 | +* __CVE-2019-9515 “Settings Flood”__: The attacker sends a stream of SETTINGS |
| 52 | + frames to the peer. Since the RFC requires that the peer reply with one |
| 53 | + acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost |
| 54 | + equivalent in behavior to a ping. Depending on how efficiently this data is |
| 55 | + queued, this can consume excess CPU, memory, or both, potentially leading to |
| 56 | + a denial of service. |
| 57 | +* __CVE-2019-9516 “0-Length Headers Leak”__: The attacker sends a stream of |
| 58 | + headers with a 0-length header name and 0-length header value, optionally |
| 59 | + Huffman encoded into 1-byte or greater headers. Some implementations allocate |
| 60 | + memory for these headers and keep the allocation alive until the session |
| 61 | + dies. This can consume excess memory, potentially leading to a denial of |
| 62 | + service. |
| 63 | +* __CVE-2019-9517 “Internal Data Buffering”__: The attacker opens the HTTP/2 |
| 64 | + window so the peer can send without constraint; however, they leave the TCP |
| 65 | + window closed so the peer cannot actually write (many of) the bytes on the |
| 66 | + wire. The attacker then sends a stream of requests for a large response |
| 67 | + object. Depending on how the servers queue the responses, this can consume |
| 68 | + excess memory, CPU, or both, potentially leading to a denial of service. |
| 69 | +* __CVE-2019-9518 “Empty Frames Flood”__: The attacker sends a stream of frames |
| 70 | + with an empty payload and without the end-of-stream flag. These frames can be |
| 71 | + DATA, HEADERS, CONTINUATION and/or PUSH\_PROMISE. The peer spends time |
| 72 | + processing each frame disproportionate to attack bandwidth. This can consume |
| 73 | + excess CPU, potentially leading to a denial of service. (Discovered by Piotr |
| 74 | + Sikora of Google) |
33 | 75 |
|
34 | | -## Contact and future updates |
| 76 | +### Contact and future updates |
35 | 77 |
|
36 | 78 | The current Node.js security policy and information about how to report a |
37 | 79 | vulnerability can be found at https://nodejs.org/en/security/. |
|
0 commit comments