From caaccec60328827b6fca6c2d89067a302968f598 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Thu, 15 Aug 2019 10:43:34 -0700 Subject: [PATCH] blog: aug 2019 security post-release announcement --- .../aug-2019-security-releases.md | 81 ++++++++++++++----- 1 file changed, 62 insertions(+), 19 deletions(-) diff --git a/locale/en/blog/vulnerability/aug-2019-security-releases.md b/locale/en/blog/vulnerability/aug-2019-security-releases.md index ec7879940d368..a911c125941b1 100644 --- a/locale/en/blog/vulnerability/aug-2019-security-releases.md +++ b/locale/en/blog/vulnerability/aug-2019-security-releases.md @@ -1,5 +1,5 @@ --- -date: 2019-08-13T21:30:00.000Z +date: 2019-08-15T22:43:22.000Z category: vulnerability title: August 2019 Security Releases slug: august-2019-security-releases @@ -7,31 +7,74 @@ layout: blog-post.hbs author: Sam Roberts --- -# Summary - -The Node.js project will release new versions of all supported release lines -on, or shortly after, Thursday, August 15th, 2019 UTC. These releases will -incorporate security fixes to HTTP/2 Denial of Service vulnerabilities in -Node.js, the highest severity of which is HIGH. - -The Denial of Service vulnerabilities to be fixed are common to a broad range -of HTTP/2 implementations. Details about them were publicly disclosed on August -13th, 2019. See +Node.js, as well as many other implementations of HTTP/2, have been found +vulnerable to Denial of Service attacks. See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md for more information. -## Impact +Updates are now available for all active Node.js release lines, except Linux +ARMv6 builds for Node.js 8.x which are still building. + +We recommend that all Node.js users upgrade to a version listed below as soon +as possible. + +## Downloads & release details + +Downloads are available for the following versions. Details of code changes can +also be found on each release page. + +* Node.js 8.16.1: https://nodejs.org/dist/latest-v8.x/ +* Node.js 10.16.3: https://nodejs.org/dist/latest-v10.x/ +* Node.js 12.8.1: https://nodejs.org/dist/latest-v12.x -Releases for all actively supported release lines (Node.js 8, 10, and 12) will -be made available to fix the disclosed HTTP/2 vulnerabilities. +## Vulnerabilities Fixed -## Release timing +***Impact***: All versions of Node.js 8 (LTS "Carbon"), Node.js 10 (LTS "Dubnium"), and Node.js 12 (Current) are vulnerable to the following: -Releases will be available at, or shortly after, Thursday, August 15th, 2019 -UTC, along with disclosure of the details for the flaws addressed in each -release in order to allow for complete impact assessment by users. +* __CVE-2019-9511 “Data Dribble”__: The attacker requests a large amount of + data from a specified resource over multiple streams. They manipulate window + size and stream priority to force the server to queue the data in 1-byte + chunks. Depending on how efficiently this data is queued, this can consume + excess CPU, memory, or both, potentially leading to a denial of service. +* __CVE-2019-9512 “Ping Flood”__: The attacker sends continual pings to an + HTTP/2 peer, causing the peer to build an internal queue of responses. + Depending on how efficiently this data is queued, this can consume excess + CPU, memory, or both, potentially leading to a denial of service. +* __CVE-2019-9513 “Resource Loop”__: The attacker creates multiple request + streams and continually shuffles the priority of the streams in a way that + causes substantial churn to the priority tree. This can consume excess CPU, + potentially leading to a denial of service. +* __CVE-2019-9514 “Reset Flood”__: The attacker opens a number of streams and + sends an invalid request over each stream that should solicit a stream of + RST\_STREAM frames from the peer. Depending on how the peer queues the + RST\_STREAM frames, this can consume excess memory, CPU, or both, potentially + leading to a denial of service. +* __CVE-2019-9515 “Settings Flood”__: The attacker sends a stream of SETTINGS + frames to the peer. Since the RFC requires that the peer reply with one + acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost + equivalent in behavior to a ping. Depending on how efficiently this data is + queued, this can consume excess CPU, memory, or both, potentially leading to + a denial of service. +* __CVE-2019-9516 “0-Length Headers Leak”__: The attacker sends a stream of + headers with a 0-length header name and 0-length header value, optionally + Huffman encoded into 1-byte or greater headers. Some implementations allocate + memory for these headers and keep the allocation alive until the session + dies. This can consume excess memory, potentially leading to a denial of + service. +* __CVE-2019-9517 “Internal Data Buffering”__: The attacker opens the HTTP/2 + window so the peer can send without constraint; however, they leave the TCP + window closed so the peer cannot actually write (many of) the bytes on the + wire. The attacker then sends a stream of requests for a large response + object. Depending on how the servers queue the responses, this can consume + excess memory, CPU, or both, potentially leading to a denial of service. +* __CVE-2019-9518 “Empty Frames Flood”__: The attacker sends a stream of frames + with an empty payload and without the end-of-stream flag. These frames can be + DATA, HEADERS, CONTINUATION and/or PUSH\_PROMISE. The peer spends time + processing each frame disproportionate to attack bandwidth. This can consume + excess CPU, potentially leading to a denial of service. (Discovered by Piotr + Sikora of Google) -## Contact and future updates +### Contact and future updates The current Node.js security policy and information about how to report a vulnerability can be found at https://nodejs.org/en/security/.