USN-4796-1: Node.js vulnerabilities

Releases

• Ubuntu 18.04 ESM
• Ubuntu 16.04 ESM
• Ubuntu 14.04 ESM

Packages

• nodejs - evented I/O for V8 javascript

Details

Alexander Minozhenko and James Bunton discovered that Node.js did not
properly handle wildcards in name fields of X.509 TLS certificates. An
attacker could use this vulnerability to execute a machine-in-the-middle-
attack. This issue only affected Ubuntu 14.04 ESM and 16.04 ESM. (CVE-2016-7099)

It was discovered that Node.js incorrectly handled certain NAPTR responses.
A remote attacker could possibly use this issue to cause applications using
Node.js to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 ESM. (CVE-2017-1000381)

Nikita Skovoroda discovered that Node.js mishandled certain input, leading
to an out of bounds write. An attacker could use this vulnerability to
cause a denial of service (crash) or possibly execute arbitrary code. This
issue was only fixed in Ubuntu 18.04 ESM. (CVE-2018-12115)

Arkadiy Tetelman discovered that Node.js improperly handled certain
malformed HTTP requests. An attacker could use this vulnerability to inject
unexpected HTTP requests. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-12116)

Jan Maybach discovered that Node.js did not time out if incomplete
HTTP/HTTPS headers were received. An attacker could use this vulnerability
to cause a denial of service by keeping HTTP/HTTPS connections alive for a
long period of time. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-12122)

Martin Bajanik discovered that the url.parse() method would return
incorrect results if it received specially crafted input. An attacker could
use this vulnerability to spoof the hostname and bypass hostname-specific
security controls. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-12123)

It was discovered that Node.js is vulnerable to a DNS rebinding attack which
could be exploited to perform remote code execution. An attack is possible
from malicious websites open in a web browser with network access to the system
running the Node.js process. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-7160)

It was discovered that the Buffer.fill() and Buffer.alloc() methods
improperly handled certain inputs. An attacker could use this vulnerability
to cause a denial of service. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-7167)

Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS
connections. An attacker could use this vulnerability to cause a denial of
service. This issue was only fixed in Ubuntu 18.04 ESM. (CVE-2019-5737)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04

• nodejs-dev - 8.10.0~dfsg-2ubuntu0.4+esm1
  Available with Ubuntu Pro
• nodejs-doc - 8.10.0~dfsg-2ubuntu0.4+esm1
  Available with Ubuntu Pro
• nodejs - 8.10.0~dfsg-2ubuntu0.4+esm1
  Available with Ubuntu Pro

Ubuntu 16.04

• nodejs-dev - 4.2.6~dfsg-1ubuntu4.2+esm1
  Available with Ubuntu Pro
• nodejs-legacy - 4.2.6~dfsg-1ubuntu4.2+esm1
  Available with Ubuntu Pro
• nodejs - 4.2.6~dfsg-1ubuntu4.2+esm1
  Available with Ubuntu Pro

Ubuntu 14.04

• nodejs-dev - 0.10.25~dfsg2-2ubuntu1.2+esm1
  Available with Ubuntu Pro
• nodejs-legacy - 0.10.25~dfsg2-2ubuntu1.2+esm1
  Available with Ubuntu Pro
• nodejs - 0.10.25~dfsg2-2ubuntu1.2+esm1
  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References

• CVE-2018-7160
• CVE-2017-1000381
• CVE-2018-12115
• CVE-2016-7099
• CVE-2018-12122
• CVE-2018-7167
• CVE-2018-12123
• CVE-2019-5737
• CVE-2018-12116

Related notices

• USN-3395-1: libc-ares-dev, libc-ares2, c-ares