Heap-based buffer overflow in nodejs-current (Alpine package)

1) Heap-based buffer overflow

EUVDB-ID: #VU16168

Risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-12121

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to heap-based buffer overflow. A remote attacker can send many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers, trigger memory corruption and cause the Node.js HTTP server to abort.

Mitigation

Install update from vendor's website.

Vulnerable software versions

nodejs-current (Alpine package): 11.1.0-r0

External links

http://git.alpinelinux.org/aports/commit/?id=bd2573712de1614fdb052e833bc6ab037c54997b
http://git.alpinelinux.org/aports/commit/?id=ef901440524286c30fa8a9bc9d3cef3f36339d9f
http://git.alpinelinux.org/aports/commit/?id=8cdc1514a48e59f1229d3c5f3cf136dc0eabfe16
http://git.alpinelinux.org/aports/commit/?id=1b6fe87123809adb71d7a3a11c0633972d70beed
http://git.alpinelinux.org/aports/commit/?id=d30e50323c5f1784719c4be7a9c21388b2ac6dcb
http://git.alpinelinux.org/aports/commit/?id=9506edbe44db07fc65aab5d444e7e02ca3767187

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.