SB2020032103 - Gentoo update for Node.js

Description

This security bulletin contains information about 15 secuirty vulnerabilities.

1) Out-of-bounds write (CVE-ID: CVE-2018-12115)

The vulnerability allows a local attacker to gain elevated privileges on the target system.

The vulnerability exists due to an out-of-bounds write condition in the Buffer component when used with UCS-2 encoding. A local attacker can cause a targeted system to stop functioning or execute arbitrary code with elevated privileges.

2) Improper input validation (CVE-ID: CVE-2018-12116)

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient validation of user-provided input. A remote attacker can provide Unicode data for the path option of an HTTP request to trigger a second, unexpected, and user-defined HTTP request to made to the same server and cause the service to crash.

3) Heap-based buffer overflow (CVE-ID: CVE-2018-12121)

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow. A remote attacker can send many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers, trigger memory corruption and cause the Node.js HTTP server to abort.

4) Resource exhaustion (CVE-ID: CVE-2018-12122)

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to the socket is destroyed on the next received chunk when headers are not completely received within this period. A remote attacker can send headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, consume excessive resources and cause the service to crash.

5) Spoofing attack (CVE-ID: CVE-2018-12123)

The disclosed vulnerability allows a remote attacker to conduct spoofing attack on the target system.

The vulnerability exists due to security decisions are made about the URL based on the hostname. A remote attacker can use a mixed case "javascript:" (e.g. "javAscript:") protocol and spoof the hostname when a Node.js application is using url.parse()to determine the URL hostname.

6) Improper input validation (CVE-ID: CVE-2018-7161)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to a cleanup bug where objects are used in native code after they are no longer available when the affected software interacts with an HTTP/2 server. A remote attacker can send a specially crafted request that submits malicious input to the targeted node server that provides an HTTP/2 server and cause the node server to crash.

7) Improper input validation (CVE-ID: CVE-2018-7162)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient input validation when TLS implementation. A remote attacker can send a specially crafted request that submits malicious input to the targeted node server and cause it to crash.

8) Resource exhaustion (CVE-ID: CVE-2018-7164)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient input validation when reading from the network into JavaScript using the net.Socket object directly as a stream. A remote attacker can send tiny chunks of data in short succession, trigger resource exhaustion and cause the server to crash.

9) Improper input validation (CVE-ID: CVE-2018-7167)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can supply Calling Buffer.fill() or Buffer.alloc() with some parameters and cause the server to hang.

10) Reachable assertion (CVE-ID: CVE-2019-15604)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of X509 certificates in X509V3_EXT_print(). A remote attacker can supply a specially crafted client certificate to the application and perform a denial of service attack.

11) HTTP request smuggling (CVE-ID: CVE-2019-15605)

The vulnerability allows a remote attacker to perform HTTP request smuggling attack.

The vulnerability exists due to insufficient validation of Transfer-Encoding header. A remote attacker can send a specially crafted HTTP request to the application and perform a request smuggling attack.

12) Input validation error (CVE-ID: CVE-2019-15606)

The vulnerability allows a remote attacker to manipulate HTTP headers.

The vulnerability exists due to insufficient validation of a trailing white-space character in the request headers. A remote attacker can send a specially crafted HTTP request to the application and bypass certain security restrictions.

13) Path traversal (CVE-ID: CVE-2019-16777)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. The software fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwrite the first binary. This only affects files in /usr/local/bin

A remote attacker can overwrite arbitrary files on the system.

14) Resource exhaustion (CVE-ID: CVE-2019-5737)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of keep-alive packets. A remote attacker can send keep-alive packets very slowly and trigger resource exhaustion.

15) Resource management error (CVE-ID: CVE-2019-5739)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a very long keep-alive window of 2 minutes that Node.js uses by default for every HTTP and HTTPS connection. A remote attacker can create a bige amount of keep-alive connections and consume all available resources on the system.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/
• https://security.gentoo.org/glsa/202003-48