TPS-2017-004 Node Vulnerabilities "c-ares NAPTR parser..." (CVE-2017-1000381) & "Constant Hashable Seeds" (CVE-2017-11499)

Overview

This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Triton On-Premises Object Storage (Manta) operators and Open Source Triton users of two vulnerabilities reported by Node.

Description

Joyent has been made aware of the following Node vulnerabilities:

  • “Constant Hashtable Seeds” (CVE-2017-11499) - high severity
  • “- c-ares NAPTR parser out of bounds access” (CVE-2017-1000381) - low severity

Of the two, only the high-severity “Constant Hashable Seeds” vulnerability has been determined to have any potential effect on Joyent’s infrastructure/services.

To ensure mitigation of “Constant Hashable Seeds” (CVE-2017-11499), please proceed as follows:

  • Both vulnerabilities have been addressed for the Triton Cloud (public cloud). No further action is required of public cloud users.
  • On-premises Triton Enterprise software operators and Object Storage (Manta) operators can mitigate “Constant Hashable Seeds” by following the instructions referenced in the “Actions You Need to Take” section below.
  • Open Source Triton users can mitigate “Constant Hashable Seeds” by following the instructions referenced in the “Actions You Need to Take” section below.

Further information regarding these vulnerabilities can be found at: Node’s July 2017 Security Updates.

Actions Taken by Joyent

As noted above, the fix for both of these vulnerabilities has been applied to the Triton Cloud (public cloud). No further actions are required of public cloud users.

Triton On-Premises Software Operators, Triton Object Storage (Manta) On-Premises Operators and Open Source Triton Users: Follow the instructions in the “Actions You Need to Take” section below.

Actions You Need to Take

Triton On-Premises Software Operators

Please upgrade Docker, CloudAPI and Portal to the following versions, or later:

  • Docker: release-20170720-20170720T003928Z-gedb2de0
  • CloudAPI: release-20170720-20170720T035146Z-gdddb303
  • Portal: piranha-20170716T063628Z-v4.8.18

Triton Object Storage (Manta) On-Premises Operators

Please upgrade your manta-webapi (muskies) to this version: master-20170712T224938Z-g5612dac

IMPORTANT Note: Please contact Joyent Support prior to upgrading any of the components mentioned above, and provide the latest census information to allow Support to verify current versions of other components (such as cn-agent, firewaller, imgapi, and sapi). The other components may need to be upgraded first, due to dependencies involved with the newer versions of Docker and CloudAPI.

Open Source Triton Users

Please direct any questions to The SmartOS Community Mailing Lists and IRC.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

If you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC (as noted above).