Vulnerability identifier: #VU38646
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-20
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Node.js
Server applications /
Web servers
Vendor: Node.js Foundation
Description
The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Node.js: 4.0.0, 4.1.0 - 4.1.2, 4.2.0 - 4.2.6, 4.3.0 - 4.3.2, 4.4.0 - 4.4.7, 4.5.0, 4.6.0 - 4.6.2, 4.7.0 - 4.7.3, 4.8.0 - 4.8.3, 5.0.0, 5.1.0 - 5.1.1, 5.2.0, 5.3.0, 5.4.0 - 5.4.1, 5.5.0, 5.6.0, 5.7.0 - 5.7.1, 5.8.0, 5.9.0 - 5.9.1, 5.10.0 - 5.10.1, 5.11.0 - 5.11.1, 5.12.0, 6.0.0, 6.1.0, 6.2.0 - 6.2.2, 6.3.0 - 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0 - 6.8.1, 6.9.0 - 6.9.5, 6.10.0 - 6.10.3, 6.11.0 - 6.11.1, 7.0.0, 7.1.0, 7.2.0 - 7.2.1, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0 - 7.7.4, 7.8.0, 7.9.0, 7.10.0 - 7.10.1, 8.0.0, 8.1.0 - 8.1.3
External links
http://www.securityfocus.com/bid/99959
http://access.redhat.com/errata/RHSA-2017:2908
http://access.redhat.com/errata/RHSA-2017:3002
http://nodejs.org/en/blog/vulnerability/july-2017-security-releases/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.