Bug 846808 (CVE-2013-4450) - VUL-0: CVE-2013-4450: nodejs: HTTP Pipelining DoS
Summary: VUL-0: CVE-2013-4450: nodejs: HTTP Pipelining DoS
Status: RESOLVED FIXED
Alias: CVE-2013-4450
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Minor
Target Milestone: ---
Deadline: 2013-11-25
Assignee: Jordi Massaguer
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:54863:low CVSSv2:RedHat...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-21 10:31 UTC by Victor Pereira
Modified: 2018-04-26 14:42 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch for v0.10.x (6.09 KB, patch)
2013-12-03 12:01 UTC, Jordi Massaguer 		Details | Diff
patch for v0.8.x (5.89 KB, patch)
2013-12-03 12:01 UTC, Jordi Massaguer 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2013-10-21 10:31:15 UTC 
CVE-2013-4450

Under high load of HTTP pipelined requests, nodejs didn't try to slow down the number of incoming requests hence consuming 100% CPU and not being able to handle new connections.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4450
https://bugzilla.redhat.com/show_bug.cgi?id=1021170
https://github.com/joyent/node/issues/6214
https://github.com/joyent/node/blob/085dd30e93da67362f044ad1b3b6b2d997064692/test/simple/test-http-pipeline-flood.js (how to test it)
Comment 1 Swamp Workflow Management 2013-10-22 22:00:08 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2013-10-28 12:42:38 UTC 
The SWAMPID for this issue is 54863.
This issue was rated as low.
Please submit fixed packages until 2013-11-25.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 3 Vincent Untz 2013-11-21 14:46:08 UTC 
Sascha: here are the latest security issues we have.
Comment 4 Sascha Peilicke 2013-11-28 09:48:14 UTC 
So the Cloud product is not affected since we only use Node.jS during package build (to compile LESS files). For that, we use version 0.6.3 which is horribly outdated. Studio seems to be using 0.6.8 and I would assume moving to a more recent version is far more reasonable than backporting. Upstream semi-promised to backport the fix to 0.10 and 0.8.

Therefore reassigning to jordi. I guess he can also decide (with flavio) the openSUSE maintenance part.
Comment 5 Jordi Massaguer 2013-11-28 16:39:49 UTC 
Studio product uses nodejs for precompiling the assets. It does that during the firstboot of the appliance. However, in the latest updates we moved the assets precompilation into the script that creates the tarball because nodejs was only available for x86 architectures.

Thus, studio product does not really use nodejs once it is setup and running. However, it remains installed.
Comment 6 Marcus Meissner 2013-12-03 08:33:13 UTC 
So as there is no attacker directed input to nodejs, we can ignore this issue for STUDIO and CLOUD as they are not a generic provider of nodejs.

opensuse could get fixes if possible.
Comment 7 Jordi Massaguer 2013-12-03 12:01:21 UTC 
Created attachment 569976 [details]
patch for v0.10.x
Comment 8 Jordi Massaguer 2013-12-03 12:01:57 UTC 
Created attachment 569979 [details]
patch for v0.8.x
Comment 9 Bernhard Wiedemann 2013-12-03 13:00:29 UTC 
This is an autogenerated message for OBS integration:
This bug (846808) was mentioned in
https://build.opensuse.org/request/show/209268 12.2 / nodejs
https://build.opensuse.org/request/show/209269 12.3 / nodejs
https://build.opensuse.org/request/show/209272 13.1 / nodejs
Comment 10 Marcus Meissner 2013-12-04 16:51:57 UTC 
update is running, as its opensuse, I can close the bug now.
Comment 11 Swamp Workflow Management 2013-12-12 17:05:33 UTC 
openSUSE-SU-2013:1863-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 846808
CVE References: CVE-2013-4450
Sources used:
openSUSE 13.1 (src):    nodejs-0.10.5-3.4.1
openSUSE 12.3 (src):    nodejs-0.8.12-3.4.1
openSUSE 12.2 (src):    nodejs-0.6.19-1.8.1