blog: aug 2019 security post-release announcement

nodejs · Aug 15, 2019 · 8b1c0cd · 8b1c0cd
1 parent e1dd6e2
commit 8b1c0cd
Showing 1 changed file with 61 additions and 19 deletions.
diff --git a/locale/en/blog/vulnerability/aug-2019-security-releases.md b/locale/en/blog/vulnerability/aug-2019-security-releases.md
@@ -1,37 +1,79 @@
 ---
-date: 2019-08-13T21:30:00.000Z
+date: 2019-08-15TXX:XX:00.000Z
 category: vulnerability
 title: August 2019 Security Releases
 slug: august-2019-security-releases
 layout: blog-post.hbs
 author: Sam Roberts
 ---
 
-# Summary
-
-The Node.js project will release new versions of all supported release lines
-on, or shortly after, Thursday, August 15th, 2019 UTC. These releases will
-incorporate security fixes to HTTP/2 Denial of Service vulnerabilities in
-Node.js, the highest severity of which is HIGH.
-
-The Denial of Service vulnerabilities to be fixed are common to a broad range
-of HTTP/2 implementations. Details about them were publicly disclosed on August
-13th, 2019. See
+Node.js, as well as many other implementations of HTTP/2, have been found
+vulnerable to Denial of Service attacks. See
 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
 for more information.
 
-## Impact
+Updates are now available for all active Node.js release lines.
+
+We recommend that all Node.js users upgrade to a version listed below as soon
+as possible.
+
+## Downloads & release details
+
+Downloads are available for the following versions. Details of code changes can
+also be found on each release page.
+
+* Node.js 8.17.0: https://nodejs.org/dist/latest-v8.x/
+* Node.js 10.17.0: https://nodejs.org/dist/latest-v10.x/
+* Node.js 12.8.1: https://nodejs.org/dist/latest-v12.x
 
-Releases for all actively supported release lines (Node.js 8, 10, and 12) will
-be made available to fix the disclosed HTTP/2 vulnerabilities.
+## Vulnerabilities Fixed
 
-## Release timing
+***Impact***: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following:
 
-Releases will be available at, or shortly after, Thursday, August 15th, 2019
-UTC, along with disclosure of the details for the flaws addressed in each
-release in order to allow for complete impact assessment by users.
+* __CVE-2019-9511 “Data Dribble”__: The attacker requests a large amount of
+  data from a specified resource over multiple streams. They manipulate window
+  size and stream priority to force the server to queue the data in 1-byte
+  chunks. Depending on how efficiently this data is queued, this can consume
+  excess CPU, memory, or both, potentially leading to a denial of service.
+* __CVE-2019-9512 “Ping Flood”__: The attacker sends continual pings to an
+  HTTP/2 peer, causing the peer to build an internal queue of responses.
+  Depending on how efficiently this data is queued, this can consume excess
+  CPU, memory, or both, potentially leading to a denial of service.
+* __CVE-2019-9513 “Resource Loop”__: The attacker creates multiple request
+  streams and continually shuffles the priority of the streams in a way that
+  causes substantial churn to the priority tree. This can consume excess CPU,
+  potentially leading to a denial of service.
+* __CVE-2019-9514 “Reset Flood”__: The attacker opens a number of streams and
+  sends an invalid request over each stream that should solicit a stream of
+  RST_STREAM frames from the peer. Depending on how the peer queues the
+  RST_STREAM frames, this can consume excess memory, CPU, or both, potentially
+  leading to a denial of service.
+* __CVE-2019-9515 “Settings Flood”__: The attacker sends a stream of SETTINGS
+  frames to the peer. Since the RFC requires that the peer reply with one
+  acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
+  equivalent in behavior to a ping. Depending on how efficiently this data is
+  queued, this can consume excess CPU, memory, or both, potentially leading to
+  a denial of service.
+* __CVE-2019-9516 “0-Length Headers Leak”__: The attacker sends a stream of
+  headers with a 0-length header name and 0-length header value, optionally
+  Huffman encoded into 1-byte or greater headers. Some implementations allocate
+  memory for these headers and keep the allocation alive until the session
+  dies. This can consume excess memory, potentially leading to a denial of
+  service.
+* __CVE-2019-9517 “Internal Data Buffering”__: The attacker opens the HTTP/2
+  window so the peer can send without constraint; however, they leave the TCP
+  window closed so the peer cannot actually write (many of) the bytes on the
+  wire. The attacker then sends a stream of requests for a large response
+  object. Depending on how the servers queue the responses, this can consume
+  excess memory, CPU, or both, potentially leading to a denial of service.
+* __CVE-2019-9518 “Empty Frames Flood”__: The attacker sends a stream of frames
+  with an empty payload and without the end-of-stream flag. These frames can be
+  DATA, HEADERS, CONTINUATION and/or PUSH\_PROMISE. The peer spends time
+  processing each frame disproportionate to attack bandwidth. This can consume
+  excess CPU, potentially leading to a denial of service. (Discovered by Piotr
+  Sikora of Google)
 
-## Contact and future updates
+### Contact and future updates
 
 The current Node.js security policy and information about how to report a
 vulnerability can be found at https://nodejs.org/en/security/.