CVE-2015-8027 Denial of Service Vulnerability / CVE-2015-6764 V8 Out-of-bounds Access Vulnerability #4029
Description
This announcement is for:
- CVE-2015-8027: a high-impact denial of service vulnerability
- CVE-2015-6764: a low-impact V8 out-of-bounds access vulnerability
CVE-2015-8027 Denial of Service Vulnerability
Description and CVSS Score
A bug exists in Node.js, all versions of v0.12.x through to v5.x inclusive, whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.
- Versions 0.10.x of Node.js are _not affected_.
- Versions 0.12.x of Node.js are _vulnerable_.
- Versions 4.x, including LTS Argon, of Node.js are _vulnerable_.
- Versions 5.x of Node.js are _vulnerable_.
Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).
Common Vulnerability Scoring System (CVSS) v3 Base Score:
| Metric | Score |
|---|---|
| Base Score: | 7.5 (High) |
| Base Vector: | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: | Network (AV:N) |
| Attack Complexity: | Low (AC:L) |
| Privileges Required: | None (PR:N) |
| User Interaction: | None (UI:N) |
| Scope of Impact: | Unchanged (S:U) |
| Confidentiality Impact: | None (C:N) |
| Integrity Impact: | None (I:N) |
| Availability Impact: | High (A:H) |
Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:R/CR:L/IR:L/AR:H/MAV:N/MAC:L/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.
CVE-2015-8027 is listed on the MITRE CVE dictionary and NIST NVD.
CVE-2015-6764 V8 Out-of-bounds Access Vulnerability
Description and CVSS Score
An additional bug exists in Node.js, all versions of v4.x and v5.x, whereby an attacker may be able to trigger an out-of-bounds access and/or denial of service if user-supplied JavaScript can be executed by an application. The severity of this issue is considered medium for Node.js users (see CVSS scoring below), but only under circumstances where an attacker may cause user-supplied JavaScript to be executed within a Node.js application. Fixes will be shipped for the v4.x and v5.x release lines along with fixes for CVE-2015-8027.
- Versions 0.10.x of Node.js are _not affected_.
- Versions 0.12.x of Node.js are _not affected_.
- Versions 4.x, including LTS Argon, of Node.js are _vulnerable_.
- Versions 5.x of Node.js are _vulnerable_.
Full details of this vulnerability are embargoed until new releases are available on Wednesday the 2nd of December 2015, UTC (Tuesday the 1st of December US time).
Common Vulnerability Scoring System (CVSS) v3 Base Score:
| Metric | Score |
|---|---|
| Base Score: | 4.4 (Medium) |
| Base Vector: | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector: | Network (AV:N) |
| Attack Complexity: | Medium (AC:H) |
| Privileges Required: | High (PR:H) |
| User Interaction: | None (UI:N) |
| Scope of Impact: | Unchanged (S:U) |
| Confidentiality Impact: | None (C:N) |
| Integrity Impact: | None (I:N) |
| Availability Impact: | High (A:H) |
Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:R/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.
CVE-2015-6764 is listed on the MITRE CVE dictionary and NIST NVD.
Action and updates
New releases of v0.12.x, v4.x and v5.x on Wednesday the 2nd of December 2015, UTC will be made available with appropriate fixes for CVE-2015-8027 and CVE-2015-6764 (for v4.x and v5.x only) along with disclosure of the details of the bug to allow for complete impact assessment by users.
Contact and future updates
Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.
Please subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.
A note for @nodejs/collaborators on timing:
- The DoS flaw was discovered by @indutny a few weeks ago and we have been sitting on it while we prepare for getting v0.12 releases out with the new infrastructure.
- We decided to push a v0.12.8 out this week, even knowing that we'd push a v0.12.9 out next week because we really need people testing builds of 0.12 created with our new build system just in case there are problems with the binaries that we haven't anticipated (both OSX and Windows are using newer compilers, we have new build servers with slightly different configs, there's a bunch of things that could mean that v0.12.8 binaries are not close enough to v0.12.7 binaries for strange deployment environments). An alternative was to make v0.12.8 the security release but the risk of disclosing details of the DoS vulnerability while not having binaries that work wherever v0.12.x users are using Node is too high, so this double-release thing is an attempt to mitigate that risk.
- v0.12.9 and v4.2.3 will contain only the required commits to fix the security problems.
- v5.1.1 may be a standard release with the security commits on top (in the past we've not been as strict with Stable releases, although we don't have a documented policy on this so ...).
- The releases will come with full disclosure, so users need to be prepared to upgrade as soon as practical.
Activity