Updated: October 30th, 2013
The Node.js community has released this information about a security vulnerability:
Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection.
We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP servers in production please update as soon as possible.
Note: For Engine Yard Node.js customers who retained the default / recommended Nginx application server stack, this vulnerability is not a concern.
This security update contains the following sections:
- Issue - security vulnerability summarized.
- Solution - the recommended solution for most cases.
- Workaround - alternatives in case you cannot upgrade now or have older versions.
- FAQs - frequently asked questions.
- More information - helpful links related to this security vulnerability.
Issue
Details about the security vulnerability were released October 22nd, 2013:
DoS Vulnerability
Denial of Service (DoS) with pipelined HTTP requests over one connection. This vulnerability has been assigned the CVE identifier CVE-2013-4450.
Versions Affected: 0.8.x and 0.10.x.
Not affected: 0.6.x
Fixed Versions: 0.8.26 and 0.10.21
Solution
Recommended solution:
- Upgrade your Engine Yard Gentoo (stable-v2) stack to the latest cookbook (Security Hotfix: Node.js DoS vulnerability expected October 30th, 2013).
- Click Apply, then click Deploy in your environment to pick up the new version and re-deploy your Node.js app.
-
Verify that the updated package is installed with this:
equery list net-libs/nodejs-0.8.17-r1
-
Verify that your app is using the correct version of Node.js with this:
ls -lad /proc/$(ps -elf | grep '[n]ode ./app' | awk '{print $4}')/exe
The symlink should point to
/opt/nodejs/0.8.17/bin/node
if its working; otherwise, submit a ticket with Engine Yard Support.
Note: We understand that you may not be able to upgrade your cookbooks (or choose not to do so) at this time. In these cases, you can implement the workaround described in the next section.
Workaround
Use Nginx app server stack
Nginx will prevent the DoS attack because it closes connections after 100 pipelined requests by default.
FAQs
How can I tell which versions I have now?
This command shows all Node.js packages installed:
equery list net-libs/nodejs
Why does the Engine Yard stack include 0.8.17 if the maintenance release was 0.8.26?
The security patches that were released by the Node.js community in 0.8.26 have been applied to the 0.8.17 version on the Engine Yard Gentoo (stable-v2) stack.
Why is the nodejs-0.8.11 package still installed?
There are non-externally-facing consumers of Node.js that were vetted on 0.8.11, such as Rails asset compilation, so 0.8.11 remains a stock package for our instance image.
When will 0.8.26 and 0.10.21 be available on Engine Yard?
We will release these versions on the Engine Yard Gentoo 12.11 (stable-v4) stack in the near future.
Are 0.6.x versions safe?
The security patches have not been applied to 0.6.21 because 0.6 is not receiving updates. We recommend you move up to 0.8 as soon as possible.
More information
For more information about ... | See ... |
---|---|
Node.js DoS Vulnerability |
http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos/ |
Node v0.10.21 (Stable) release |
http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ |
Node v0.8.26 (Maintenance) release |
http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/ |
Security Hotfix: Node.js DoS vulnerability |
If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.
Comments
Please sign in to leave a comment.