Engine Yard Developer Center

October 18, 2013 - Node.js security vulnerability

Updated: October 30th, 2013

The Node.js community has released this information about a security vulnerability:

Node.js is vulnerable to a denial of service attack when a client sends many pipelined HTTP requests on a single connection, and the client does not read the responses from the connection.

We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP servers in production please update as soon as possible.

Note: For Engine Yard Node.js customers who retained the default / recommended Nginx application server stack, this vulnerability is not a concern.

This security update contains the following sections:

  • Issue - security vulnerability summarized.
  • Solution - the recommended solution for most cases.
  • Workaround - alternatives in case you cannot upgrade now or have older versions.
  • FAQs - frequently asked questions.
  • More information - helpful links related to this security vulnerability.

Issue

Details about the security vulnerability were released October 22nd, 2013:

DoS Vulnerability

Denial of Service (DoS) with pipelined HTTP requests over one connection. This vulnerability has been assigned the CVE identifier CVE-2013-4450.

Versions Affected: 0.8.x and 0.10.x.

Not affected: 0.6.x

Fixed Versions: 0.8.26 and 0.10.21

Solution

Recommended solution:

  1. Upgrade your Engine Yard Gentoo (stable-v2) stack to the latest cookbook (Security Hotfix: Node.js DoS vulnerability expected October 30th, 2013).
  2. Click Apply, then click Deploy in your environment to pick up the new version and re-deploy your Node.js app.
  3. Verify that the updated package is installed with this:

    equery list net-libs/nodejs-0.8.17-r1
  4. Verify that your app is using the correct version of Node.js with this:

    ls -lad /proc/$(ps -elf | grep '[n]ode ./app' | awk '{print $4}')/exe

    The symlink should point to /opt/nodejs/0.8.17/bin/node if its working; otherwise, submit a ticket with Engine Yard Support.

Note: We understand that you may not be able to upgrade your cookbooks (or choose not to do so) at this time. In these cases, you can implement the workaround described in the next section.

Workaround

Use Nginx app server stack

Nginx will prevent the DoS attack because it closes connections after 100 pipelined requests by default.

FAQs

How can I tell which versions I have now?

This command shows all Node.js packages installed:

equery list net-libs/nodejs

Why does the Engine Yard stack include 0.8.17 if the maintenance release was 0.8.26?

The security patches that were released by the Node.js community in 0.8.26 have been applied to the 0.8.17 version on the Engine Yard Gentoo (stable-v2) stack.

Why is the nodejs-0.8.11 package still installed?

There are non-externally-facing consumers of Node.js that were vetted on 0.8.11, such as Rails asset compilation, so 0.8.11 remains a stock package for our instance image.

When will 0.8.26 and 0.10.21 be available on Engine Yard?

We will release these versions on the Engine Yard Gentoo 12.11 (stable-v4) stack in the near future.

Are 0.6.x versions safe?

The security patches have not been applied to 0.6.21 because 0.6 is not receiving updates. We recommend you move up to 0.8 as soon as possible.

More information

For more information about ...See ...

Node.js DoS Vulnerability

http://blog.nodejs.org/2013/10/22/cve-2013-4450-http-server-pipeline-flood-dos/

Node v0.10.21 (Stable) release

http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/

Node v0.8.26 (Maintenance) release

http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/

Security Hotfix: Node.js DoS vulnerability

October 2013 Release Notes


If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Please sign in to leave a comment.

Powered by Zendesk