openSUSE-SU-2019:1076

openSUSE-SU-2019:1173

openSUSE-SU-2019:1211

RHSA-2019:1821

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

GLSA-202003-48

https://security.netapp.com/advisory/ntap-20190502-0008/

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:2925 advisory.

  - nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass (CVE-2019-5737)

  - HTTP/2: large amount of data requests leads to denial of service (CVE-2019-9511)

  - HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)

  - HTTP/2: flood using PRIORITY frames results in excessive resource consumption (CVE-2019-9513)

  - HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)

  - HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)

  - HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516)

  - HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

  - HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202003-48 (Node.js: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Node.js. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly write arbitrary files, cause a Denial       of Service condition or can conduct HTTP request splitting attacks.
  Workaround :

    There is no known workaround at this time.

An update of the nodejs package has been released.

This update for nodejs10 to version 10.1.2 fixes the following issue:
&#9; Security issue fixed :

  - CVE-2019-5737: Fixed a potentially attack vector which     could lead to Denial of Service when HTTP connection are     kept active (bsc#1127532).

This update was imported from the SUSE:SLE-12:Update update project.

This update for nodejs6 to version 6.17.0 fixes the following issues :

Security issues fixed :

  - CVE-2019-5739: Fixed a potentially attack vector which     could lead to Denial of Service when HTTP connection are     kept active (bsc#1127533).

  - CVE-2019-5737: Fixed a potentially attack vector which     could lead to Denial of Service when HTTP connection are     kept active (bsc#1127532).

  - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding     Oracle which under certain circumstances a TLS server     can be forced to respond differently to a client and     lead to the decryption of the data (bsc#1127080).

Release Notes: https://nodejs.org/en/blog/release/v6.17.0/ 

This update was imported from the SUSE:SLE-12:Update update project.

This update for nodejs8 to version 8.15.1 fixes the following issue :

Security issue fixed :

  - CVE-2019-5737: Fixed a potentially attack vector which     could lead to Denial of Service when HTTP connection are     kept active (bsc#1127532).

This update was imported from the SUSE:SLE-15:Update update project.

This update for nodejs6 to version 6.17.0 fixes the following issues :

Security issues fixed :

CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533).

CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532).

CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

Release Notes: https://nodejs.org/en/blog/release/v6.17.0/

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs4 fixes the following issues :

Security issues fixed :

  - CVE-2019-5739: Fixed a potentially attack vector which     could lead to Denial of Service when HTTP connection are     kept active (bsc#1127533).

  - CVE-2019-5737: Fixed a potentially attack vector which     could lead to Denial of Service when HTTP connection are     kept active (bsc#1127532).

  - CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding     Oracle which under certain circumstances a TLS server     can be forced to respond differently to a client and     lead to the decryption of the data (bsc#1127080).&#9; 

This update was imported from the SUSE:SLE-12:Update update project.

This update for nodejs4 fixes the following issues :

Security issues fixed :

CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127533).

CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532).

CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs10 to version 10.1.2 fixes the following issue :

Security issue fixed :

CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs8 to version 8.15.1 fixes the following issue :

Security issue fixed :

CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for nodejs10 to versio 10.15.2 fixes the following issue :

Security issue fixed :

CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Node.js reports :

Updates are now available for all active Node.js release lines. In addition to fixes for security flaws in Node.js, they also include upgrades of Node.js 6 and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security vulnerability.

For these releases, we have decided to withhold the fix for the Misinterpretation of Input (CWE-115) flaw mentioned in the original announcement. This flaw is very low severity and we are not satisfied that we had a complete and stable fix ready for release. We will be seeking to address this flaw via alternate mechanisms in the near future. In addition, we have introduced an additional CVE for a change in Node.js 6 that we have decided to classify as a Denial of Service (CWE-400) flaw.

We recommend that all Node.js users upgrade to a version listed below as soon as possible. OpenSSL: 0-byte record padding oracle (CVE-2019-1559) OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this vulnerability as they use newer versions of OpenSSL which do not contain the flaw.

Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC.
This can be used as the basis of a padding oracle attack to decrypt data.

Only TLS connections using certain ciphersuites executing under certain conditions are exploitable. We are currently unable to determine whether the use of OpenSSL in Node.js exposes this vulnerability. We are taking a cautionary approach and recommend the same for users. For more information, see the advisory and a detailed write-up by the reporters of the vulnerability.

ID	Name	Product	Family	Severity
145589	CentOS 8 : nodejs:10 (CESA-2019:2925)	Nessus	CentOS Local Security Checks	high
134776	GLSA-202003-48 : Node.js: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
132525	Photon OS 1.0: Nodejs PHSA-2019-1.0-0257	Nessus	PhotonOS Local Security Checks	medium
124104	openSUSE Security Update : nodejs10 (openSUSE-2019-1211)	Nessus	SuSE Local Security Checks	medium
123919	openSUSE Security Update : nodejs6 (openSUSE-2019-1173)	Nessus	SuSE Local Security Checks	medium
123821	openSUSE Security Update : nodejs8 (openSUSE-2019-1167)	Nessus	SuSE Local Security Checks	medium
123551	SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2019:0818-1)	Nessus	SuSE Local Security Checks	medium
123495	openSUSE Security Update : nodejs4 (openSUSE-2019-1076)	Nessus	SuSE Local Security Checks	medium
122999	SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2019:0658-1)	Nessus	SuSE Local Security Checks	medium
122965	SUSE SLES12 Security Update : nodejs10 (SUSE-SU-2019:0636-1)	Nessus	SuSE Local Security Checks	medium
122964	SUSE SLES15 Security Update : nodejs8 (SUSE-SU-2019:0635-1)	Nessus	SuSE Local Security Checks	medium
122944	SUSE SLES15 Security Update : nodejs10 (SUSE-SU-2019:0627-1)	Nessus	SuSE Local Security Checks	medium
122571	FreeBSD : Node.js -- multiple vulnerabilities (b71d7193-3c54-11e9-a3f9-00155d006b02)	Nessus	FreeBSD Local Security Checks	medium

CVE-2019-5737

MEDIUM

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

high

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium