Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: releases avail for oct DOS sec vuln #1420

Closed
wants to merge 2 commits into from
Closed

doc: releases avail for oct DOS sec vuln #1420

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fe450d2
doc: releases avail for oct DOS sec vuln
mhdawson Oct 24, 2017
68440d5
squash: address comments
mhdawson Oct 24, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 38 additions & 1 deletion locale/en/blog/vulnerability/oct-2017-dos.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,49 @@
---
date: 2017-10-17T19:30:00.617Z
date: 2017-10-24T22:00:00.617Z
category: vulnerability
title: DOS security vulnerability, October 2017
slug: oct-2017-dos
layout: blog-post.hbs
author: Michael Dawson
---

# _(Update 24-October-2017)_ Releases available

## Summary

Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement.

We recommend that all users upgrade as soon as possible.

**Downloads**
* [Node.js v8 (Current)](https://nodejs.org/en/blog/release/v8.8.0)
* [Node.js v6 (LTS "Boron")](https://nodejs.org/en/blog/release/v6.11.5)
* [Node.js v4 (LTS "Argon")](https://nodejs.org/en/blog/release/v4.8.5)

## Node.js-specific security flaws

Node.js was susceptible to a remote DoS attack due to a change that came in as part of
zlib v1.2.9. In zlib v1.2.9 `8` became an invalid value for the `windowBits` parameter
and Node's zlib module will crash or throw an exception (depending on the version) if you call:
```
zlib.createDeflateRaw({windowBits: 8})
```
The `windowBits` parameter controls how much of a message zlib keeps in memory
while compressing it. A larger "window", as it's called, means more
opportunities to spot and compress repeated bits of text, but results in higher
memory usage. windowBits is the base-2 logarithm of the size of this window in
bytes, and previously could take any integer value from 8 to 15.

This problem (Node.js crashing or throwing an exception) could be remotely exploited using some of the existing WebSocket clients that may request a value of `8` for `windowBits` in certain cases or with a custom built WebSocket client. There may also exist other vectors through which a zLib operation would be initiated by a remote request with a window size that results in a value of `windowBits` of 8.

This problem was resolved within Node.js by changing any request for a `windowBits` size of 8 to use a `windowsBits` size of 9 instead. This is consistent with previous zLib behavior and we believe minimizes the impact of the change on existing applications.

This vulnerability has been assigned CVE-2017-14919.


***Original post is included below***

--------------------------------------
# Summary
The Node.js project will be releasing new versions of 4.x, 6.x, and 8.x the week of the 24th of October to incorporate a security fix.

Expand Down