|
1 | 1 | --- |
2 | | -date: 2017-10-17T19:30:00.617Z |
| 2 | +date: 2017-10-24T22:00:00.617Z |
3 | 3 | category: vulnerability |
4 | 4 | title: DOS security vulnerability, October 2017 |
5 | 5 | slug: oct-2017-dos |
6 | 6 | layout: blog-post.hbs |
7 | 7 | author: Michael Dawson |
8 | 8 | --- |
9 | 9 |
|
| 10 | +# _(Update 24-October-2017)_ Releases available |
| 11 | + |
| 12 | +## Summary |
| 13 | + |
| 14 | +Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement. |
| 15 | + |
| 16 | +We recommend that all users upgrade as soon as possible. |
| 17 | + |
| 18 | +**Downloads** |
| 19 | +* [Node.js v8 (Current)](https://nodejs.org/en/blog/release/v8.8.0) |
| 20 | +* [Node.js v6 (LTS "Boron")](https://nodejs.org/en/blog/release/v6.11.5) |
| 21 | +* [Node.js v4 (LTS "Argon")](https://nodejs.org/en/blog/release/v4.8.5) |
| 22 | + |
| 23 | +## Node.js-specific security flaws |
| 24 | + |
| 25 | +Node.js was susceptible to a remote DoS attack due to a change that came in as part of |
| 26 | +zlib v1.2.9. In zlib v1.2.9 `8` became an invalid value for the `windowBits` parameter |
| 27 | +and Node's zlib module will crash or throw an exception (depending on the version) if you call: |
| 28 | +``` |
| 29 | +zlib.createDeflateRaw({windowBits: 8}) |
| 30 | +``` |
| 31 | +The `windowBits` parameter controls how much of a message zlib keeps in memory |
| 32 | +while compressing it. A larger "window", as it's called, means more |
| 33 | +opportunities to spot and compress repeated bits of text, but results in higher |
| 34 | +memory usage. windowBits is the base-2 logarithm of the size of this window in |
| 35 | +bytes, and previously could take any integer value from 8 to 15. |
| 36 | + |
| 37 | +This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of `8` for `windowBits` in certain cases or with a custom built WebSocket client. There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of `windowBits` of 8. |
| 38 | + |
| 39 | +This problem was resolved within Node.js by changing any request for a `windowBits` size of 8 to use a `windowsBits` size of 9 instead. This is consistent with previous zLib behavior and we believe minimizes the impact of the change on existing applications. |
| 40 | + |
| 41 | +This vulnerability has been assigned CVE-2017-14919. |
| 42 | + |
| 43 | + |
| 44 | +***Original post is included below*** |
| 45 | + |
| 46 | +-------------------------------------- |
10 | 47 | # Summary |
11 | 48 | The Node.js project will be releasing new versions of 4.x, 6.x, and 8.x the week of the 24th of October to incorporate a security fix. |
12 | 49 |
|
|
0 commit comments