RHSA-2016_2101
Vulnerability from csaf_redhat - Published: 2016-10-27 16:41 - Updated: 2024-11-14 20:49Summary
Red Hat Security Advisory: nodejs and nodejs-tough-cookie security, bug fix, and enhancement update
Severity
Moderate
Notes
Topic: An update for nodejs-tough-cookie and nodejs is now available for Red Hat
OpenShift Container Platform 3.1, 3.2, and 3.3.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details: Red Hat OpenShift Container Platform is the company's cloud computing
Platform-as-a-Service (PaaS) solution designed for on-premise or private
cloud deployments.
Security Fix(es):
* A regular expression denial of service flaw was found in Tough-Cookie. An
attacker able to make an application using Touch-Cookie to parse a
sufficiently large HTTP request Cookie header could cause the application
to consume an excessive amount of CPU. (CVE-2016-1000232)
* It was found that the reason argument in ServerResponse#writeHead() was
not properly validated. A remote attacker could possibly use this flaw to
conduct an HTTP response splitting attack via a specially-crafted HTTP
request. (CVE-2016-5325)
This advisory contains the RPM packages for this release. See the following
advisory for the container images fixes for this release:
https://access.redhat.com/errata/RHBA-2016:2100
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.
4.8 (Medium)
Vendor Fix
For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory:
https://access.redhat.com/errata/RHBA-2016:2100
https://access.redhat.com/errata/RHSA-2016:2101
A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse an HTTP header with many semicolons could cause the application to consume an excessive amount of CPU.
5.3 (Medium)
Vendor Fix
For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory:
https://access.redhat.com/errata/RHBA-2016:2100
https://access.redhat.com/errata/RHSA-2016:2101
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for nodejs-tough-cookie and nodejs is now available for Red Hat \nOpenShift Container Platform 3.1, 3.2, and 3.3.\n\nRed Hat Product Security has rated this update as having a security impact \nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which \ngives a detailed severity rating, is available for each vulnerability from \nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat OpenShift Container Platform is the company\u0027s cloud computing \nPlatform-as-a-Service (PaaS) solution designed for on-premise or private \ncloud deployments.\n\nSecurity Fix(es):\n\n* A regular expression denial of service flaw was found in Tough-Cookie. An \nattacker able to make an application using Touch-Cookie to parse a \nsufficiently large HTTP request Cookie header could cause the application \nto consume an excessive amount of CPU. (CVE-2016-1000232)\n\n* It was found that the reason argument in ServerResponse#writeHead() was \nnot properly validated. A remote attacker could possibly use this flaw to \nconduct an HTTP response splitting attack via a specially-crafted HTTP \nrequest. (CVE-2016-5325)\n\nThis advisory contains the RPM packages for this release. See the following\nadvisory for the container images fixes for this release:\n\nhttps://access.redhat.com/errata/RHBA-2016:2100",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2016:2101",
"url": "https://access.redhat.com/errata/RHSA-2016:2101"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1346910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1346910"
},
{
"category": "external",
"summary": "1359818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1359818"
},
{
"category": "external",
"summary": "1382854",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1382854"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2101.json"
}
],
"title": "Red Hat Security Advisory: nodejs and nodejs-tough-cookie security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-14T20:49:19+00:00",
"generator": {
"date": "2024-11-14T20:49:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2016:2101",
"initial_release_date": "2016-10-27T16:41:39+00:00",
"revision_history": [
{
"date": "2016-10-27T16:41:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2016-10-27T16:41:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T20:49:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 3.3",
"product": {
"name": "Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Container Platform 3.2",
"product": {
"name": "Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.2::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat OpenShift Enterprise 3.1",
"product": {
"name": "Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift:3.1::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Enterprise"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"product": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"product_id": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-tough-cookie@2.3.1-1.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "nodejs-docs-0:0.10.47-2.el7.noarch",
"product": {
"name": "nodejs-docs-0:0.10.47-2.el7.noarch",
"product_id": "nodejs-docs-0:0.10.47-2.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-docs@0.10.47-2.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.src",
"product": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.src",
"product_id": "nodejs-tough-cookie-0:2.3.1-1.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-tough-cookie@2.3.1-1.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "nodejs-0:0.10.47-2.el7.src",
"product": {
"name": "nodejs-0:0.10.47-2.el7.src",
"product_id": "nodejs-0:0.10.47-2.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@0.10.47-2.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs-devel-0:0.10.47-2.el7.x86_64",
"product": {
"name": "nodejs-devel-0:0.10.47-2.el7.x86_64",
"product_id": "nodejs-devel-0:0.10.47-2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-devel@0.10.47-2.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "nodejs-0:0.10.47-2.el7.x86_64",
"product": {
"name": "nodejs-0:0.10.47-2.el7.x86_64",
"product_id": "nodejs-0:0.10.47-2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs@0.10.47-2.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"product": {
"name": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"product_id": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/nodejs-debuginfo@0.10.47-2.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-0:0.10.47-2.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src"
},
"product_reference": "nodejs-0:0.10.47-2.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-devel-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-0:0.10.47-2.el7.noarch as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch"
},
"product_reference": "nodejs-docs-0:0.10.47-2.el7.noarch",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch"
},
"product_reference": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.src as a component of Red Hat OpenShift Enterprise 3.1",
"product_id": "7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src"
},
"product_reference": "nodejs-tough-cookie-0:2.3.1-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-0:0.10.47-2.el7.src as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src"
},
"product_reference": "nodejs-0:0.10.47-2.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-devel-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-0:0.10.47-2.el7.noarch as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch"
},
"product_reference": "nodejs-docs-0:0.10.47-2.el7.noarch",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch"
},
"product_reference": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.src as a component of Red Hat OpenShift Container Platform 3.2",
"product_id": "7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src"
},
"product_reference": "nodejs-tough-cookie-0:2.3.1-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-0:0.10.47-2.el7.src as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src"
},
"product_reference": "nodejs-0:0.10.47-2.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-devel-0:0.10.47-2.el7.x86_64 as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64"
},
"product_reference": "nodejs-devel-0:0.10.47-2.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-docs-0:0.10.47-2.el7.noarch as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch"
},
"product_reference": "nodejs-docs-0:0.10.47-2.el7.noarch",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch"
},
"product_reference": "nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs-tough-cookie-0:2.3.1-1.el7.src as a component of Red Hat OpenShift Container Platform 3.3",
"product_id": "7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
},
"product_reference": "nodejs-tough-cookie-0:2.3.1-1.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOSE-3.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-5325",
"discovery_date": "2016-06-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1346910"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the reason argument in ServerResponse#writeHead() was not properly validated. A remote attacker could possibly use this flaw to conduct an HTTP response splitting attack via a specially-crafted HTTP request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs: reason argument in ServerResponse#writeHead() not properly validated",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-5325"
},
{
"category": "external",
"summary": "RHBZ#1346910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1346910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-5325",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-5325"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-5325",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-5325"
},
{
"category": "external",
"summary": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/",
"url": "https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/"
}
],
"release_date": "2016-06-13T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-27T16:41:39+00:00",
"details": "For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory: \n\nhttps://access.redhat.com/errata/RHBA-2016:2100",
"product_ids": [
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2101"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "nodejs: reason argument in ServerResponse#writeHead() not properly validated"
},
{
"cve": "CVE-2016-1000232",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2016-07-22T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1359818"
}
],
"notes": [
{
"category": "description",
"text": "A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse an HTTP header with many semicolons could cause the application to consume an excessive amount of CPU.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-1000232"
},
{
"category": "external",
"summary": "RHBZ#1359818",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1359818"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-1000232",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000232"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000232",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000232"
},
{
"category": "external",
"summary": "https://nodesecurity.io/advisories/130",
"url": "https://nodesecurity.io/advisories/130"
}
],
"release_date": "2016-07-22T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2016-10-27T16:41:39+00:00",
"details": "For details on how to apply this update in OpenShift Container Platform 3, see the Solution section of the following advisory: \n\nhttps://access.redhat.com/errata/RHBA-2016:2100",
"product_ids": [
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2016:2101"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.1:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.1:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.1:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.2:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.2:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.2:nodejs-tough-cookie-0:2.3.1-1.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.src",
"7Server-RH7-RHOSE-3.3:nodejs-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-debuginfo-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-devel-0:0.10.47-2.el7.x86_64",
"7Server-RH7-RHOSE-3.3:nodejs-docs-0:0.10.47-2.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.noarch",
"7Server-RH7-RHOSE-3.3:nodejs-tough-cookie-0:2.3.1-1.el7.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "nodejs-tough-cookie: regular expression DoS via Cookie header with many semicolons"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…