SB2018112815 - Heap-based buffer overflow in nodejs-current (Alpine package)
Published: November 28, 2018
Security Bulletin ID
SB2018112815
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Heap-based buffer overflow (CVE-ID: CVE-2018-12121)
The disclosed vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to heap-based buffer overflow. A remote attacker can send many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers, trigger memory corruption and cause the Node.js HTTP server to abort.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=bd2573712de1614fdb052e833bc6ab037c54997b
- https://git.alpinelinux.org/aports/commit/?id=ef901440524286c30fa8a9bc9d3cef3f36339d9f
- https://git.alpinelinux.org/aports/commit/?id=8cdc1514a48e59f1229d3c5f3cf136dc0eabfe16
- https://git.alpinelinux.org/aports/commit/?id=1b6fe87123809adb71d7a3a11c0633972d70beed
- https://git.alpinelinux.org/aports/commit/?id=d30e50323c5f1784719c4be7a9c21388b2ac6dcb
- https://git.alpinelinux.org/aports/commit/?id=9506edbe44db07fc65aab5d444e7e02ca3767187