Executive Summary
| Summary | |
|---|---|
| Title | nodejs and nodejs-tough-cookie security, bug fix, and enhancement update |
| Informations | |||
|---|---|---|---|
| Name | RHSA-2016:2101 | First vendor Publication | 2016-10-27 |
| Vendor | RedHat | Last vendor Modification | 2016-10-27 |
| Severity (Vendor) | N/A | Revision | 01 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| Problem Description: An update for nodejs-tough-cookie and nodejs is now available for Red Hat OpenShift Container Platform 3.1, 3.2, and 3.3. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat OpenShift Container Platform 3.3 - noarch, x86_64 Red Hat OpenShift Enterprise 3.1 - noarch, x86_64 Red Hat OpenShift Enterprise 3.2 - noarch, x86_64 3. Description: Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Security Fix(es): * A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU. (CVE-2016-1000232) * It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request. (CVE-2016-5325) This advisory contains the RPM packages for this release. See the following advisory for the container images fixes for this release: https://access.redhat.com/errata/RHBA-2016:2100 4. Solution: For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory: https://access.redhat.com/errata/RHBA-2016:2100 5. Bugs fixed (https://bugzilla.redhat.com/): 1346910 - CVE-2016-5325 nodejs: reason argument in ServerResponse#writeHead() not properly validated 1359818 - CVE-2016-1000232 nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons 1382854 - [3.1,3.2,3.3] nodejs rpm updates for logging-auth-proxy |
Original Source
| Url : https://rhn.redhat.com/errata/RHSA-2016-2101.html |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 50 % | CWE-113 | Failure to Sanitize CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
| 50 % | CWE-20 | Improper Input Validation |
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2016-12-14 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201612-43.nasl - Type : ACT_GATHER_INFO |
| 2016-10-12 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2016-1172.nasl - Type : ACT_GATHER_INFO |
| 2016-10-06 | Name : The remote Fedora host is missing a security update. File : fedora_2016-286a8ec5b0.nasl - Type : ACT_GATHER_INFO |
| 2016-08-09 | Name : The remote Fedora host is missing a security update. File : fedora_2016-c0fd203d6e.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2018-10-31 17:21:56 |
|
| 2018-09-06 17:21:26 |
|
| 2016-10-27 21:24:34 |
|
