TPS-2016-009 Node.js Vulnerabilities CVE-2016-1669 and CVE-2014-9748

How To Update Your Services

SmartOS Users

New releases of the Node.js packages have been added to the 2016Q1 pkgsrc repository. The following latest package releases address the vulnerabilities outlined in this notice:

  • nodejs-5.12.0.tgz
  • nodejs-4.4.7.tgz
  • nodejs-0.12.15.tgz
  • nodejs-0.10.46.tgz

If you are running on a SmartOS image that is using a different pkgsrc repository, you can still install the above by using the following command (you may want to first test for any potential incompatibilities on a non-production machine):

pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<nodejs_package>

You can visit this Node.js page for more information about these vulnerabilities.

Triton Cloud Users

The public cloud has been fixed; customers are advised to update their individual instances with the relevant Node.js packages.

Triton Software Users

Triton operators are advised to update all Triton components to the current latest release available in the Support channel (20160804).

  • Users should also update their boot platform to 20160818T235335Z, or newer

For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

  • Debian: CVE-2016-1669 and CVE-2014-9748
  • Centos/Red Hat/Fedora: CVE-2016-1669
  • Ubuntu: CVE-2016-1669 and CVE-2014-9748

Original Notice

This notice is to advise all Triton public cloud and Triton software (formerly SDC) customers of the following recently-identified Node.js security vulnerabilities:

  • CVE-2016-1669: Under certain conditions, V8 may improperly expand memory allocations in the Zone::New function. This could potentially be used to cause a Denial of Service via buffer overflow or as a trigger for a remote code execution; mitigation will be required.
  • CVE-2014-9748 is Windows-related and does not pertain to any Joyent software or services.

For now, you can visit this Node.js page to obtain additional details. Within the next several days, Joyent will proactively update this notice to confirm actions that we have taken, as well as provide specific details on any required actions to be taken by both Triton public cloud and Triton Enterprise software customers to mitigate CVE-2016-1669. Your attention is appreciated.

If you are a Joyent customer and have any questions or concerns, please do not hesitate to contact our Support team by raising a ticket at through the Customer Support Portal or by emailing support@joyent.com.