TPS-2017-005 Node.js DOS Vulnerability (CVE-2017-14919)

Overview

This notice is to advise Triton Cloud (public cloud) users, Triton On-Premises Software operators, Node.js users and Open Source Triton users of a vulnerability reported by Node.

Description

Node has made Joyent aware of the following high-severity DOS vulnerability: CVE-2017-14919

The following Node.js versions are vulnerable to this issue, which can be used by an external attacker to cause a denial of service:

  • Versions 4.8.2 and later
  • Versions 6.10.2 and later
  • All versions of 8.x

To incorporate the security fix for this high-severity vulnerability, the Node.js project recently released updated versions of 4.x, 6.x, and 8.x. To upgrade to the newest versions and ensure mitigation of CVE-2017-14919, please proceed as follows:

  • This vulnerability has been addressed for the Triton Cloud (public cloud). No further action is required of public cloud users.
  • On-premises Triton Enterprise software operators – as well as Node.js users and Open Source Trition users – can mitigate CVE-2017-14919 by following the instructions referenced in the “Actions You Need to Take” section below.
  • Further information regarding this vulnerability can be found at: DOS security vulnerability, October 2017.

Actions Taken by Joyent

As noted above, the fix for both of these vulnerabilities has been applied to the Triton Cloud (public cloud). No further actions are required of public cloud users.

Triton On-Premises Software operators, Node.js users and Open Source Triton users: Follow the instructions in the “Actions You Need to Take” section below.

Actions You Need to Take

Triton On-Premises Software Operators

Triton operators are advised to update the following Triton components to the current latest release available in the Support channel:

  • docker: release-20171026-20171026T135327Z-gef3d5bc (or later)
  • cloudapi: release-20171026-20171026T013201Z-g7b3b2c1 (or later)
  • cmon: release-20171026-20171026T015237Z-g1933327 (or later)
  • adminui: release-20171026-20171026T013916Z-g330887a (or later)
  • imgapi: release-20171026-20171026T130549Z-g897bffc (or later)

At minimum, please be sure to update the adminui and imgapi components.

For further details on applying updates, you can reference the Triton maintenance and upgrades web page. Should you require any further assistance with your updates to the components above, please contact our Support team by raising a request at the Customer Support portal or emailing support@joyent.com.

Node.js Users

Update node.js to the latest version releases, which are available at https://pkgsrc.joyent.com and at https://nodejs.org:

  • Node.js v8.8.0 (Current)
  • Node.js v6.11.5 (LTS “Boron”)
  • Node.js v4.8.5 (LTS “Argon”)

Open Source Triton Users

Please direct any questions to The SmartOS Community Mailing Lists and IRC.

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

If you are an Open Source Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC (as noted above).