Vulnerability identifier: #VU38646

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-11499

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Node.js: 4.0.0, 4.1.0 - 4.1.2, 4.2.0 - 4.2.6, 4.3.0 - 4.3.2, 4.4.0 - 4.4.7, 4.5.0, 4.6.0 - 4.6.2, 4.7.0 - 4.7.3, 4.8.0 - 4.8.3, 5.0.0, 5.1.0 - 5.1.1, 5.2.0, 5.3.0, 5.4.0 - 5.4.1, 5.5.0, 5.6.0, 5.7.0 - 5.7.1, 5.8.0, 5.9.0 - 5.9.1, 5.10.0 - 5.10.1, 5.11.0 - 5.11.1, 5.12.0, 6.0.0, 6.1.0, 6.2.0 - 6.2.2, 6.3.0 - 6.3.1, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 6.8.0 - 6.8.1, 6.9.0 - 6.9.5, 6.10.0 - 6.10.3, 6.11.0 - 6.11.1, 7.0.0, 7.1.0, 7.2.0 - 7.2.1, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0 - 7.7.4, 7.8.0, 7.9.0, 7.10.0 - 7.10.1, 8.0.0, 8.1.0 - 8.1.3

---

External links
http://www.securityfocus.com/bid/99959
http://access.redhat.com/errata/RHSA-2017:2908
http://access.redhat.com/errata/RHSA-2017:3002
http://nodejs.org/en/blog/vulnerability/july-2017-security-releases/

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.