JString Everything Node & Js Related
Uncategorized

Node.js Security Release Summary – November 2017

Node.js Security Release Summary - November 2017

At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you’re informed about the security and stability of the Node.js platform.

Today, there was a security release for all active Node.js release lines. At time of publishing, the security vulnerability has been patched in semver minor releases of the Node.js 4.x, 6.x, 8.x, and 9.x release lines. The patched versions are:

To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.

Node.js Security Impact Assessment

CVE-2017-3736: OOB read parsing IPAdressFamily in an X.509 certificate

CVE-2017-3735 fixes buffer over-read in parsing X.509 certificates using extensions defined in RFC 3779.

Node.js disables RFC 3779 support by defining OPENSSL_NO_RFC3779 during compile. It is therefore HIGHLY UNLIKELY that a Node.js deployment would be impacted – in any way – by this vulnerability.

VERSIONS OF NODE.JS AFFECTED BY CVE-2017-3735

CVE-2017-3736: OOB read parsing IPAdressFamily in an X.509 certificate

CVE-2017-3736 fixes a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected.

Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

Source: CVE-2017-3736

CVE-2017-3736 impacts all active release lines of Node.js, but because of the EXTREMELY LOW likelihood of successful attack exploiting the flaw it has been deemed to be non-critical.

VERSIONS OF NODE.JS AFFECTED BY CVE-2017-3736

Stay Secure with Node.js

For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for modules that power mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.