TPS-2016-010 OpenSSL High-Severity CVE-2016-6304 / Node.js CVE-2016-7099 and Other Vulnerabilities

How To Update Your Services

SmartOS Users

New releases of the Node.js and OpenSSL packages have been added to our pkgsrc repository (see below for specific details). The following latest package releases address the vulnerabilities outlined in this post’s “Original Notice” section:

• nodejs-6.7.0.tgz (2016Q3)
• nodejs-4.6.0.tgz (2014Q4, 2015Q4, 2016Q3)
• nodejs-0.12.16.tgz (2014Q4, 2015Q4, 2016Q3)
• nodejs-0.10.47.tgz (2014Q4, 2015Q4, 2016Q3)

• openssl-1.0.2j.tgz (2015Q4, 2016Q3)
• openssl-1.0.2i.tgz (2015Q4)
• openssl-1.0.1u.tgz (2014Q4)

If you are running on an older SmartOS image that is using a deprecated pkgsrc repository, you may still try installing the correct fixed package by using the following command (NOTE: please test for any potential incompatibilities on a non-production machine prior to trying this):

pkg_add http://pkgsrc.joyent.com/packages/SmartOS/2014Q4/x86_64/All/<package_name>

You can visit this Node.js page for more information about these vulnerabilities.

Triton Public Cloud Users

The public cloud has been fixed; customers are advised to update their individual instances with the relevant Node.js/OpenSSL packages.

Triton Software Users

Triton operators are advised to update the following Triton components to the current latest release available in the Support channel:

• cloudapi (release-20160929-20161003T221525Z-g585d6c4 or later)
• docker (release-20160929-20160929T030130Z-g63126f8 or later)
• imgapi (release-20160929-20160929T012251Z-gf6c101e or later)
• adminui (master-20160929T005047Z-g3359235 or later)

For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.

Linux Users

Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:

• Debian: https://security-tracker.debian.org/tracker/
• Centos/Red Hat/Fedora: https://access.redhat.com/security/security-updates/#/
• Ubuntu: https://www.ubuntu.com/usn/

---

Original Notice

This notice is to advise all Triton public cloud and Triton software (formerly SDC) customers of the following recently-identified Node.js security vulnerabilities:

CVE-2016-6304: A malicious client can exhaust a server’s memory, resulting in a denial of service (DoS) by sending very large OCSP Status Request extensions in a single session. This OpenSSL flaw is labeled high severity due to the ease of use for a DoS attack and Node.js servers using TLS are vulnerable. CVE-2016-7099: Allows a malicious TLS server to serve an invalid wildcard certificate for its hostname and be improperly validated by a Node.js client due to a flaw in the validation of *. in the wildcard name string. Other vulnerabilities may require attention For now, you can visit this Node.js page to obtain additional details. Within the next several days, Joyent will update this notice to confirm actions that we have taken, as well as provide specific details on any required actions to be taken by both Triton Cloud and Triton Enterprise customers to mitigate CVE-2016-6304 and any other vulnerabilities that may affect Joyent customers. Your attention is appreciated.

If you are a Joyent customer and have any questions or concerns, please do not hesitate to contact our Support team by raising a ticket at through the Customer Support Portal or by emailing support@joyent.com.