TPS-2016-010 OpenSSL High-Severity CVE-2016-6304 / Node.js CVE-2016-7099 and Other Vulnerabilities
How To Update Your Services
SmartOS Users
New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section:
- nodejs-6.7.0.tgz (2016Q3)
- nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3)
- nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3)
- nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3)
- openssl-1.0.2j.tgz (2015Q4, 2016Q3)
- openssl-1.0.2i.tgz (2015Q4)
- openssl-1.0.1u.tgz (2014Q4)
If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this):
pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<package_name>
You can visit this Node.js page for more information about these vulnerabilities.
Triton Public Cloud Users
The public cloud has been fixed; customers are advised to update their individual instances with the relevant Node.js/OpenSSL packages.
Triton Software Users
Triton operators are advised to update the following Triton components to the current latest release available in the Support channel:
- cloudapi (
release-20160929-20161003T221525Z-g585d6c4
or later) - docker (
release-20160929-20160929T030130Z-g63126f8
or later) - imgapi (
release-20160929-20160929T012251Z-gf6c101e
or later) - adminui (
master-20160929T005047Z-g3359235
or later)
For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.
Linux Users
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
- Debian: https://security-tracker.debian.org/tracker/
- Centos/Red Hat/Fedora: https://access.redhat.com/security/security-updates/#/
- Ubuntu: https://www.ubuntu.com/usn/
Original Notice
This notice is to advise all Triton public cloud and Triton software (formerly SDC) customers of the following recently-identified Node.js security vulnerabilities:
CVE-2016-6304: A malicious client can exhaust a server’s memory, resulting in a denial of service (DoS) by sending very large OCSP Status Request extensions in a single session. This OpenSSL flaw is labeled high severity due to the ease of use for a DoS attack and Node.js servers using TLS are vulnerable. CVE-2016-7099: Allows a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client due to a flaw in the validation of *. in the wildcard name string. Other vulnerabilities may require attention For now, you can visit this Node.js page to obtain additional details. Within the next several days, Joyent will update this notice to confirm actions that we have taken, as well as provide specific details on any required actions to be taken by both Triton Cloud and Triton Enterprise customers to mitigate CVE-2016-6304 and any other vulnerabilities that may affect Joyent customers. Your attention is appreciated.
If you are a Joyent customer and have any questions or concerns, please do not hesitate to contact our Support team by raising a ticket at through the Customer Support Portal or by emailing support@joyent.com.