Today we will discuss some of the NodeJS vulnerabilities and it’s patches (Node Vulnerability).
Sam Roberts officially release an update as security release for NodeJS developers.
Details are given below!!
Netflix has discovered several resource exhaustion vectors affecting a variety of third-party HTTP/2 implementations. These attack vectors can be used to launch DoS attacks against servers that support HTTP/2 communication.
HTTP/2 (defined in RFCs 7540 and 7541) represents a significant change from HTTP/1.1. There are several new capabilities, including header compression and multiplexing of data from multiple streams, which make this attractive to the user community. To support these new features, HTTP/2 has grown to encompass some of the complexity of a Layer 3 transport protocol:
Data is now carried in binary frames;
There are both per-connection and per-stream windows that define how much data can be sent;
There are several ICMP-like control messages (ping, reset, and settings frames, for example) which operate at the HTTP/2 connection layer; and,
This is a fairly robust concept of stream prioritization.
While this added complexity enables some exciting new features, it also raises implementation questions. When implementations run on the internet and are exposed to malicious users, implementers may wonder:
Should I limit any of the control messages?
How do I implement the priority queueing scheme in a computationally efficient way?
How do I implement the flow-control algorithms in a computationally efficient way?
How could an attacker manipulate the flow-control algorithm at the HTTP/2 layer to cause unintended results? (And, can they manipulate the flow-control algorithms at both the HTTP/2 and TCP layers together to cause unintended results?)
Why does this matter?
Most of these attacks work at the HTTP/2 transport layer. As illustrated in the diagram below, this layer sits above the TLS transport, but below the concept of a request. In fact, many of these attacks involve either 0 or 1 requests.
Since the early days of HTTP, tooling has been oriented around requests: logs often indicate requests (rather than connections); rate-limiting may occur at the request level; and, traffic controls may be triggered by requests.
By contrast, there is not as much tooling that looks at HTTP/2 connections to log, rate-limit, and trigger remediation based on a client’s behavior at the HTTP/2 connection layer. Therefore, organizations may find it more difficult to discover and block malicious HTTP/2 connections and may need to add additional tooling to handle these situations.
These attack vectors allow a remote attacker to consume excessive system resources. Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block.
All versions of Node.js 8 (LTS “Carbon”), Node.js 10 (LTS “Dubnium”), and Node.js 12 (Current) are vulnerable
Downloads are available for the following versions. Details of code changes can also be found on each release page.
Node.js 8.16.1: https://nodejs.org/dist/latest-v8.x/
Node.js 10.16.3: https://nodejs.org/dist/latest-v10.x/
Node.js 12.8.1: https://nodejs.org/dist/latest-v12.x/
– Helping Hands