FreeBSD : node.js -- multiple vulnerabilities (27180c99-9b5c-11e6-b799-19bef72f4b7c)

Medium Nessus Plugin ID 94415


The remote FreeBSD host is missing a security-related update.


Node.js v6.9.0 LTS contains the following security fixes, specific to v6.x :

Disable auto-loading of openssl.cnf: Don't automatically attempt to load an OpenSSL configuration file, from the OPENSSL_CONF environment variable or from the default location for the current platform. Always triggering a configuration file load attempt may allow an attacker to load compromised OpenSSL configuration into a Node.js process if they are able to place a file in a default location.

Patched V8 arbitrary memory read (CVE-2016-5172): The V8 parser mishandled scopes, potentially allowing an attacker to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. This vulnerability would require an attacker to be able to execute arbitrary JavaScript code in a Node.js process.

Create a unique v8_inspector WebSocket address: Generate a UUID for each execution of the inspector. This provides additional security to prevent unauthorized clients from connecting to the Node.js process via the v8_inspector port when running with --inspect. Since the debugging protocol allows extensive access to the internals of a running process, and the execution of arbitrary code, it is important to limit connections to authorized tools only. Note that the v8_inspector protocol in Node.js is still considered an experimental feature. Vulnerability originally reported by Jann Horn.

All of these vulnerabilities are considered low-severity for Node.js users, however, users of Node.js v6.x should upgrade at their earliest convenience.


Update the affected package.

See Also

Plugin Details

Severity: Medium

ID: 94415

File Name: freebsd_pkg_27180c999b5c11e6b79919bef72f4b7c.nasl

Version: $Revision: 2.1 $

Type: local

Published: 2016/10/31

Modified: 2016/10/31

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N


Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:node, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2016/10/28

Vulnerability Publication Date: 2016/10/18

Reference Information

CVE: CVE-2016-5172