Описание
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.
Меры по смягчению последствий
The use of a Load Balancer or a Reverse Proxy will increase the difficulty of the attack.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Application Runtimes | nodejs10 | Not affected | ||
| Red Hat OpenShift Application Runtimes | nodejs8 | Not affected | ||
| Red Hat OpenShift Container Platform 3.10 | nodejs | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.6 | nodejs | Fix deferred | ||
| Red Hat OpenShift Container Platform 3.7 | nodejs | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.9 | nodejs | Fix deferred | ||
| Red Hat Enterprise Linux 8 | nodejs | Fixed | RHSA-2019:2925 | 30.09.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs8-nodejs | Fixed | RHSA-2019:1821 | 22.07.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs10 | Fixed | RHSA-2019:2939 | 01.10.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-nodejs10-nodejs | Fixed | RHSA-2019:2939 | 01.10.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before ...
EPSS
5.3 Medium
CVSS3