May 2nd, 2016
- Node v6.1.0 (Current): http://nodejs.org/en/blog/release/v6.1.0/
- Node v5.11.1: http://nodejs.org/en/blog/release/v5.11.1/
- Node v4.4.4 (LTS): http://nodejs.org/en/blog/release/v4.4.4/
- Node v0.12.14 (Maintenance): http://nodejs.org/en/blog/release/v0.12.14/
- Node v0.10.45 (Maintenance): http://nodejs.org/en/blog/release/v0.10.45/
... issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable.Node.js v0.10 and v0.12 both use OpenSSL v1.0.1 and Node.js v4, v5 and v6 use OpenSSL v1.0.2 and releases from nodejs.org and some other popular distribution sources are statically compiled. Therefore, all active release lines are impacted by this update. At this stage, due to embargo, it is uncertain the exact nature of these defects, nor what impact they will have on Node.js users, if any. We will proceed as follows: Within approximately 24 hours of the OpenSSL releases, our crypto team will make an impact assessment for Node.js users of the OpenSSL releases. This information may vary depending for the different active release lines and will be posted here. As part of that impact assessment we will announce our release plans for each of the active release lines to take into account any impact. Please be prepared for the possibility of important updates to Node.js v0.10, v0.12, v4, v5 and v6 soon after Tuesday, the 3rd of May. It is likely that if upgrades are required that they will be ready on or after Thursday, the 5th of May. Note that Node.js v5 will be supported until June and will therefore be included in this set of releases. Please monitor the nodejs-sec Google Group for updates, including an impact assessment and updated details on release timing within approximately 24 hours after the OpenSSL release: https://groups.google.com/forum/#!forum/nodejs-sec https://nodejs.org/en/security/. Please contact email@example.com if you wish to report a vulnerability in Node.js. Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organisation. 1.0.2h and 1.0.1t. The results of this analysis are included below. We will be producing new versions this week for all of our active release lines containing the new versions of OpenSSL in order to provide security assurance. We will provide an update here once all releases are available. We anticipate that they will be available on, or soon after, Thursday the 5th of May, UTC.
CVE-2016-2107: Padding oracle in AES-NI CBC MAC checkA man-in-the-middle (MITM) attacker may be able to execute a padding oracle attack to decrypt traffic when a connection uses an AES-CBC cipher and the server runs on an Intel CPU supporting AES-NI. This is a common configuration for TLS servers. The OpenSSL project has labelled this vulnerability high severity. Assessment: All versions of Node.js are affected by this vulnerability.
CVE-2016-2105: EVP_EncodeUpdate overflowAn overflow can occur in the OpenSSL
EVP_EncodeUpdate()function which is used for Base64 encoding of binary data. An attacker must be able to supply large amounts of input data in order to cause an overflow. Node.js uses the
EVP_EncodeUpdate()internally during calls to
crypto.Certificate#exportPublicKey()for SPKAC Certificate Signing Requests. User-supplied data must be passed to this method for applications to be vulnerable. This method has been available since Node.js v0.12. The OpenSSL project has labelled this vulnerability low severity.
- Node.js v0.10 is unaffected
- Node.js v0.12, v4, v5 and v6 are affected
CVE-2016-2108: Memory corruption in the ASN.1 encoderAssessment: All versions of Node.js are believed to be unaffected by this vulnerability.
CVE-2016-2106: EVP_EncryptUpdate overflowAssessment: All versions of Node.js are believed to be unaffected by this vulnerability
CVE-2016-2109: ASN.1 BIO excessive memory allocation (CVE-2016-2109)Assessment: All versions of Node.js are believed to be unaffected by this vulnerability
CVE-2016-2176: EBCDIC overreadAssessment: All versions of Node.js are believed to be unaffected by this vulnerability