Critical security update for node.js and io.js
On July 4th, a security update was released fixing a critical vulnerability for node.js and io.js. The essence of the vulnerability is that when the buffer is converted to a UTF8 string, the application can “fall”.
I quote my free translation of the text of the official message:
Firstly, it is obvious that the solution to the problem is not ideal, but it will help us save time to develop a better solution. In the US, it is evening and it’s the weekend of July 4th (US Independence Day).
')
We urge to update, because the details about the vulnerability and the potential use of inadvertently turned out to be in a public forum. So, we prefer to give companies and users a tool to protect their projects and mitigate DoS attacks if they happen. Because it is better to meet with reality, rather than sit with your fingers crossed. Time is running out, especially for the USA, where the holidays are now, which makes it all a nightmare for people deploying larger projects. But we make this appeal with useful information.
Short story:
Chris Reeves and Trevor Norris discovered an error in V8 in a method that decodes UTF strings. The essence of the error is that when converting the buffer to a UTF8 string, the process can “fall”. The security problem arises from the fact that a large amount of information entering the application uses this mechanism; This means that users can send specially generated strings to “kill” the application. We know that most network and file system operations are vulnerable, as well as calls to the function of converting the buffer to a UTF8 string. We know that HTTP (S) header parsing is not vulnerable, since Node does not convert this data to UTF8. This is a small consolation that limits the way exploited via HTTP (S), but obviously there are plenty of them. Also, we do not yet have information on how the vulnerability affects TLS terminators and proxy servers (forward-proxy).
The release of the patch was scheduled for noon PST. Of course, the patch was not ready on time. During the day, extensive testing and verification was conducted for V8, io.js and Node.js. Assembly also took some time and because of all this there was a delay. Fedor Indutny immediately made a correction, Ben Nurduis, Trevor Norris, Julien Gilly, Rod Wagg, Michael Dawson and Jeremiah Senkpiel worked hard on the update.
[ Source ]
UPD: Thank you arelay for the corrections.
I quote my free translation of the text of the official message:
Firstly, it is obvious that the solution to the problem is not ideal, but it will help us save time to develop a better solution. In the US, it is evening and it’s the weekend of July 4th (US Independence Day).
')
We urge to update, because the details about the vulnerability and the potential use of inadvertently turned out to be in a public forum. So, we prefer to give companies and users a tool to protect their projects and mitigate DoS attacks if they happen. Because it is better to meet with reality, rather than sit with your fingers crossed. Time is running out, especially for the USA, where the holidays are now, which makes it all a nightmare for people deploying larger projects. But we make this appeal with useful information.
Short story:
Chris Reeves and Trevor Norris discovered an error in V8 in a method that decodes UTF strings. The essence of the error is that when converting the buffer to a UTF8 string, the process can “fall”. The security problem arises from the fact that a large amount of information entering the application uses this mechanism; This means that users can send specially generated strings to “kill” the application. We know that most network and file system operations are vulnerable, as well as calls to the function of converting the buffer to a UTF8 string. We know that HTTP (S) header parsing is not vulnerable, since Node does not convert this data to UTF8. This is a small consolation that limits the way exploited via HTTP (S), but obviously there are plenty of them. Also, we do not yet have information on how the vulnerability affects TLS terminators and proxy servers (forward-proxy).
The release of the patch was scheduled for noon PST. Of course, the patch was not ready on time. During the day, extensive testing and verification was conducted for V8, io.js and Node.js. Assembly also took some time and because of all this there was a delay. Fedor Indutny immediately made a correction, Ben Nurduis, Trevor Norris, Julien Gilly, Rod Wagg, Michael Dawson and Jeremiah Senkpiel worked hard on the update.
[ Source ]
UPD: Thank you arelay for the corrections.
Source: https://habr.com/ru/post/262013/
All Articles