Fedora 20 : v8-3.14.5.10-11.fc20 (2014-9095)

high Nessus Plugin ID 77071

Synopsis

The remote Fedora host is missing a security update.

Description

TJ Fontaine of the Node.js project reports :

A memory corruption vulnerability, which results in a denial-of-service, was identified in the versions of V8 that ship with Node.js 0.8 and 0.10. In certain circumstances, a particularly deep recursive workload that may trigger a GC and receive an interrupt may overflow the stack and result in a segmentation fault. For instance, if your work load involves successive `JSON.parse` calls and the parsed objects are significantly deep, you may experience the process aborting while parsing.

This issue was identified by Tom Steele of [^Lift Security](https://liftsecurity.io/) and Fedor Indunty, Node.js Core Team member worked closely with the V8 team to find our resolution.

The V8 issue is described here https://codereview.chromium.org/339883002

It has landed in the Node repository here:
https://github.com/joyent/node/commit/530af9cb8e700e7596b3ec812bad123c 9fa06356

And has been released in the following versions :

- [v0.10.30](http://nodejs.org/dist/v0.10.30) http://blog.nodejs.org/2014/07/31/node-v0-10-30-stable/

- [v0.8.28](http://nodejs.org/dist/v0.8.28) http://blog.nodejs.org/2014/07/31/node-v0-8-28-maintenan ce/

### The Fix

[Applied in this update.]

### Remediation

The best course of action is to patch or upgrade Node.js.

### Mitigation

To mitigate against deep JSON parsing you can limit the size of the string you parse against, or ban clients who trigger a `RangeError` for parsing JSON.

There is no specific maximum size of a JSON string, though keeping the max to the size of your known message bodies is suggested. If your message bodies cannot be over 20K, there's no reason to accept 1MB bodies.

For web frameworks that do automatic JSON parsing, you may need to configure the routes that accept JSON payloads to have a maximum body size.

- [expressjs](http://expressjs.com) and [krakenjs](http://krakenjs.com) used with the [body-parser](https://github.com/expressjs/body-parser#b odyparserjsonoptions) plugin accepts a `limit` parameter in your JSON config

- [Hapi.js](http://hapijs.com) has `payload.maxBytes` https://github.com/spumko/hapi/blob/master/docs/Referenc e.md

- [restify](http://mcavage.me/node-restify/#Bundled-Plugin s) bundled `bodyParser` accepts a `maxBodySize`

Source:
https://groups.google.com/d/msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected v8 package.

See Also

https://nodejs.org/en/blog/release/v0.10.30/

https://nodejs.org/en/blog/release/v0.8.28/

http://expressjs.com

https://hapijs.com/

http://krakenjs.com

http://restify.com#Bundled-Plugins

http://nodejs.org/dist/v0.10.30/

http://nodejs.org/dist/v0.8.28/

https://bugzilla.redhat.com/show_bug.cgi?id=1125464

https://codereview.chromium.org/339883002

https://github.com/expressjs/body-parser#bodyparserjsonoptions

http://www.nessus.org/u?a86e6922

https://github.com/hapijs/hapi/blob/master/docs/Reference.md

https://groups.google.com/forum/#!msg/nodejs/-siJEObdp10/2xcqqmTHiEMJ

https://liftsecurity.io/

http://www.nessus.org/u?1a0e85fa

Plugin Details

Severity: High

ID: 77071

File Name: fedora_2014-9095.nasl

Version: 1.5

Type: local

Agent: unix

Published: 8/8/2014

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:v8, cpe:/o:fedoraproject:fedora:20

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 8/1/2014

Reference Information

FEDORA: 2014-9095