USN-4796-1: Node.js vulnerabilities

15 March 2021

Several security issues were fixed in Node.js.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • nodejs - evented I/O for V8 javascript

Details

Alexander Minozhenko and James Bunton discovered that Node.js did not
properly handle wildcards in name fields of X.509 TLS certificates. An
attacker could use this vulnerability to execute a machine-in-the-middle-
attack. This issue only affected Ubuntu 14.04 ESM and 16.04 ESM. (CVE-2016-7099)

It was discovered that Node.js incorrectly handled certain NAPTR responses.
A remote attacker could possibly use this issue to cause applications using
Node.js to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 ESM. (CVE-2017-1000381)

Nikita Skovoroda discovered that Node.js mishandled certain input, leading
to an out of bounds write. An attacker could use this vulnerability to
cause a denial of service (crash) or possibly execute arbitrary code. This
issue was only fixed in Ubuntu 18.04 ESM. (CVE-2018-12115)

Arkadiy Tetelman discovered that Node.js improperly handled certain
malformed HTTP requests. An attacker could use this vulnerability to inject
unexpected HTTP requests. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-12116)

Jan Maybach discovered that Node.js did not time out if incomplete
HTTP/HTTPS headers were received. An attacker could use this vulnerability
to cause a denial of service by keeping HTTP/HTTPS connections alive for a
long period of time. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-12122)

Martin Bajanik discovered that the url.parse() method would return
incorrect results if it received specially crafted input. An attacker could
use this vulnerability to spoof the hostname and bypass hostname-specific
security controls. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-12123)

It was discovered that Node.js is vulnerable to a DNS rebinding attack which
could be exploited to perform remote code execution. An attack is possible
from malicious websites open in a web browser with network access to the system
running the Node.js process. This issue only affected Ubuntu 18.04 ESM.
(CVE-2018-7160)

It was discovered that the Buffer.fill() and Buffer.alloc() methods
improperly handled certain inputs. An attacker could use this vulnerability
to cause a denial of service. This issue was only fixed in Ubuntu 18.04 ESM.
(CVE-2018-7167)

Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS
connections. An attacker could use this vulnerability to cause a denial of
service. This issue was only fixed in Ubuntu 18.04 ESM. (CVE-2019-5737)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 18.04
Ubuntu 16.04
Ubuntu 14.04

In general, a standard system update will make all the necessary changes.

Related notices