A Brief Overview of Node.JS Security Release November 2018
To maintain a good and secured website, developers are using different website development platforms and Node.js is a well maintained and highly reliable platform that is preferred by site owners.
However, the fact is, if you are a Node.js developer and you are deploying Node.js applications to production, then you have to monitor the code actively for any vulnerabilities that may be introduced by third party code and also for performance degradation.
Recently on 27th November, the security release updates have been available for all active Node.js release lines. All of them include fixes and solutions for the vulnerabilities that were identified and they also included the upgrades of Node.js 6 and 8 to OpenSSL 1.0.2q and upgrades of Node.js 10 and 11 to OpenSSL 1.1.0j.
In order to understand the impact that the vulnerabilities have on your application and the urgency to upgrade it, let’s discuss the security issues and the solutions in details.
(CVE-2018-12120): The Debugger Port 5858 Listens on Any Interface
This default interface in now the localhost. In the latest security update, this debugger is removed in version 8 and is replaced with the inspector and so no versions from 8 onwards are vulnerable anymore.
(CVE-2018-12122) Slowloris HTTP Denial of Service
All version of 6 and later are vulnerable, but the impact is LOW. Node.js development company has to be very careful as an attacker can cause a denial of service by sending many requests and keeping the HTTP ad HTTPS connections and other resources engaged for a longer time period.
Now a timeout of 40 seconds has been applied to the servers that receives HTTP headers. Whenever the headers are not received within this period, the socket is destroyed and this helps to protect from denial of service.
(CVE-2018-12121) Denial of Service with Large HTTP Headers
Versions from 6 and onwards are vulnerable and the severity is also very HIGH. The denial of service was attained by sending many requests with maximum size HTTP header in combination with the careful completion of these headers.
Due to heap allocation failure, the Node.js HTTP server was forced to abort. But now the total size of the HTTP header received must not exceed 8192 bytes.
CVE-2018-12116: HTTP Request Splitting
Node.js 6 and onwards are vulnerable with a MEDIUM severity. If un-sanitized user provider Unicode data is used for the path option of an HTTP request, then the data can trigger an unexpected and user defined HTTP request to the same server. This security concern has been fixed and applied to Node.js 10 and later.
(CVE-2018-0735) Timing Vulnerability in OpenSSL in ECDSA Signature Generation
The Open SSL ECDSA signature algorithm is vulnerable to a timing side channel attack where the attacker can use different variations in the algorithm in order to recover the private key.