Details of VAR-201310-0437

ID

VAR-201310-0437

CVE

CVE-2013-4450

TITLE

Node.js of HTTP Service disruption at the server (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2013-004826

DESCRIPTION

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response. Node.js is prone to a denial-of-service vulnerability. Remote attackers can exploit this issue to cause denial-of-service conditions. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: nodejs010-nodejs security update Advisory ID: RHSA-2013:1842-01 Product: Red Hat Software Collections Advisory URL: https://rhn.redhat.com/errata/RHSA-2013-1842.html Issue date: 2013-12-16 CVE Names: CVE-2013-4450 ===================================================================== 1. Summary: Updated nodejs010-nodejs packages that fix one security issue are now available for Red Hat Software Collections 1. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for RHEL 6 Server - x86_64 Red Hat Software Collections for RHEL 6 Workstation - x86_64 3. Description: Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. (CVE-2013-4450) Node.js is included in Red Hat Software Collections 1.0 as a Technology Preview. More information about Red Hat Technology Previews is available here: https://access.redhat.com/support/offerings/techpreview/ All nodejs010-nodejs users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1021170 - CVE-2013-4450 NodeJS: HTTP Pipelining DoS 6. Package List: Red Hat Software Collections for RHEL 6 Server: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/RHSCL/SRPMS/nodejs010-nodejs-0.10.5-8.el6.src.rpm x86_64: nodejs010-nodejs-0.10.5-8.el6.x86_64.rpm nodejs010-nodejs-debuginfo-0.10.5-8.el6.x86_64.rpm nodejs010-nodejs-devel-0.10.5-8.el6.x86_64.rpm nodejs010-nodejs-docs-0.10.5-8.el6.x86_64.rpm Red Hat Software Collections for RHEL 6 Workstation: Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/RHSCL/SRPMS/nodejs010-nodejs-0.10.5-8.el6.src.rpm x86_64: nodejs010-nodejs-0.10.5-8.el6.x86_64.rpm nodejs010-nodejs-debuginfo-0.10.5-8.el6.x86_64.rpm nodejs010-nodejs-devel-0.10.5-8.el6.x86_64.rpm nodejs010-nodejs-docs-0.10.5-8.el6.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2013-4450.html https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2013 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFSr0q9XlSAg2UNWIIRAplZAKCNJooZ8mJA2a/ke2+zDonkXBgQMACgjYHJ q5tCftH+wfTRq0Xalgs8iMM= =7XqG -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 1.98

sources: NVD: CVE-2013-4450 // JVNDB: JVNDB-2013-004826 // BID: 63229 // PACKETSTORM: 124472

AFFECTED PRODUCTS

vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.1	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.16	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.20	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.22	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.15	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.18	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.23	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.0	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.19	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.2	Trust: 1.6
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.15	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.17	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.10	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.8	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.12	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.16	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.11	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.14	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.21	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.9	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.6	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.7	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.11	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.19	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.3	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.8	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.6	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.2	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.20	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.4	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.7	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.5	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.3	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.13	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.25	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.1	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.14	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.18	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.24	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.17	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.0	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.9	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.4	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.12	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.8.10	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.13	Trust: 1.0
vendor:	nodejs	model:	nodejs	scope:	eq	version:	0.10.5	Trust: 1.0
vendor:	node js	model:	node.js	scope:	lt	version:	0.10.x	Trust: 0.8
vendor:	node js	model:	node.js	scope:	eq	version:	0.10.21	Trust: 0.8
vendor:	node js	model:	node.js	scope:	eq	version:	0.8.26	Trust: 0.8
vendor:	node js	model:	node.js	scope:	lt	version:	0.8.x	Trust: 0.8
vendor:	s u s e	model:	opensuse	scope:	eq	version:	12.3	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	12.2	Trust: 0.3
vendor:	juniper	model:	northstar controller application	scope:	eq	version:	2.1.0	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	eq	version:	0.10.20	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	eq	version:	0.8.25	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	eq	version:	0.7.8	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	eq	version:	0.7.7	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	eq	version:	0.6.16	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	eq	version:	0.6.15	Trust: 0.3
vendor:	juniper	model:	northstar controller application service pack	scope:	ne	version:	2.1.01	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	ne	version:	0.10.21	Trust: 0.3
vendor:	joyent	model:	node.js	scope:	ne	version:	0.8.26	Trust: 0.3

sources: BID: 63229 // JVNDB: JVNDB-2013-004826 // CNNVD: CNNVD-201310-496 // NVD: CVE-2013-4450

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4450
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-4450
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201310-496
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2013-4450
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2013-004826 // CNNVD: CNNVD-201310-496 // NVD: CVE-2013-4450

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2013-004826 // NVD: CVE-2013-4450

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 124472 // CNNVD: CNNVD-201310-496

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201310-496

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-004826

PATCH

title:	Bump Node version to one with a fix for CVE-2013-4450, non-specific HTTP DoS.	url:	https://github.com/bazbremner/drivebot/commit/3581fd765cf8e046cc86eed1d355345733a200c5	Trust: 0.8
title:	[DoS security vulnerability. Original title redacted]	url:	https://github.com/joyent/node/issues/6214	Trust: 0.8
title:	Node v0.8.26 (Maintenance)	url:	http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/	Trust: 0.8
title:	Node v0.10.21 (Stable)	url:	http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/	Trust: 0.8
title:	openSUSE-SU-2013:1863	url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00051.html	Trust: 0.8
title:	Bug 1021170	url:	https://bugzilla.redhat.com/show_bug.cgi?id=1021170	Trust: 0.8
title:	RHSA-2013:1842	url:	http://rhn.redhat.com/errata/RHSA-2013-1842.html	Trust: 0.8

sources: JVNDB: JVNDB-2013-004826

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4450	Trust: 2.8
db:	BID	id:	63229	Trust: 1.9
db:	OPENWALL	id:	OSS-SECURITY/2013/10/20/1	Trust: 1.6
db:	JUNIPER	id:	JSA10783	Trust: 1.3
db:	JVNDB	id:	JVNDB-2013-004826	Trust: 0.8
db:	MLIST	id:	[OSS-SECURITY] 20131019 RE: CVE REQUEST: NODE.JS HTTP PIPELINING DOS	Trust: 0.6
db:	CNNVD	id:	CNNVD-201310-496	Trust: 0.6
db:	PACKETSTORM	id:	124472	Trust: 0.1

sources: BID: 63229 // JVNDB: JVNDB-2013-004826 // PACKETSTORM: 124472 // CNNVD: CNNVD-201310-496 // NVD: CVE-2013-4450

REFERENCES

url:	http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/	Trust: 1.9
url:	http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/	Trust: 1.9
url:	https://github.com/rapid7/metasploit-framework/pull/2548	Trust: 1.6
url:	https://github.com/joyent/node/issues/6214	Trust: 1.6
url:	http://www.securityfocus.com/bid/63229	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2013/10/20/1	Trust: 1.6
url:	http://rhn.redhat.com/errata/rhsa-2013-1842.html	Trust: 1.4
url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00051.html	Trust: 1.3
url:	https://groups.google.com/forum/#%21topic/nodejs/nebweyb0ei0	Trust: 1.0
url:	https://kb.juniper.net/jsa10783	Trust: 1.0
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4450	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4450	Trust: 0.8
url:	https://groups.google.com/forum/#!topic/nodejs/nebweyb0ei0	Trust: 0.6
url:	https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692	Trust: 0.3
url:	http://nodejs.org	Trust: 0.3
url:	http://seclists.org/oss-sec/2013/q4/134	Trust: 0.3
url:	https://kb.juniper.net/infocenter/index?page=content&id=jsa10783&cat=sirt_1&actp=list	Trust: 0.3
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.1
url:	https://access.redhat.com/support/offerings/techpreview/	Trust: 0.1
url:	https://www.redhat.com/security/data/cve/cve-2013-4450.html	Trust: 0.1
url:	https://access.redhat.com/security/team/key/#package	Trust: 0.1
url:	https://access.redhat.com/site/articles/11258	Trust: 0.1
url:	https://bugzilla.redhat.com/):	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4450	Trust: 0.1
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.1
url:	https://access.redhat.com/security/team/contact/	Trust: 0.1

sources: BID: 63229 // JVNDB: JVNDB-2013-004826 // PACKETSTORM: 124472 // CNNVD: CNNVD-201310-496 // NVD: CVE-2013-4450

CREDITS

isaacs

Trust: 0.3

sources: BID: 63229

SOURCES

db:	BID	id:	63229
db:	JVNDB	id:	JVNDB-2013-004826
db:	PACKETSTORM	id:	124472
db:	CNNVD	id:	CNNVD-201310-496
db:	NVD	id:	CVE-2013-4450

LAST UPDATE DATE

2024-11-23T20:35:30.374000+00:00

SOURCES UPDATE DATE

db:	BID	id:	63229	date:	2017-04-18T01:05:00
db:	JVNDB	id:	JVNDB-2013-004826	date:	2014-01-17T00:00:00
db:	CNNVD	id:	CNNVD-201310-496	date:	2013-10-22T00:00:00
db:	NVD	id:	CVE-2013-4450	date:	2024-11-21T01:55:35.550

SOURCES RELEASE DATE

db:	BID	id:	63229	date:	2013-10-18T00:00:00
db:	JVNDB	id:	JVNDB-2013-004826	date:	2013-10-23T00:00:00
db:	PACKETSTORM	id:	124472	date:	2013-12-17T03:38:42
db:	CNNVD	id:	CNNVD-201310-496	date:	2013-10-22T00:00:00
db:	NVD	id:	CVE-2013-4450	date:	2013-10-21T17:55:03.537