Allele Security Alert
ASA-2019-00120
Identifier(s)
ASA-2019-00120, CVE-2019-5737
Title
Slowloris HTTP Denial of Service with keep-alive
Vendor(s)
The Node.js Project
Product(s)
Node.js
Affected version(s)
All versions of Node.js 6 (LTS “Boron”)
All versions of Node.js 8 (LTS “Carbon”)
All versions of Node.js 10 (LTS “Dubnium”)
All versions of Node.js 11 (Current)
Fixed version(s)
Node.js 11.10.1 (Current)
Node.js 10.15.2 (LTS “Dubnium”)
Node.js 8.15.1 (LTS “Carbon”)
Node.js 6.17.0 (LTS “Boron”)
Proof of concept
Unknown
Description
All actively supported release lines are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in November, 2018. The 40 second timeout and its adjustment by server.headersTimeout apply to this fix as in CVE-2018-12121.
Technical details
Unknown
Credits
Marco Pracucci and Matteo Collina
Reference(s)
February 2019 Security Releases
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
http: prevent slowloris with keepalive connections
https://github.com/nodejs/node/commit/1a7302bd48
CVE-2019-5737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737
CVE-2019-5737
https://nvd.nist.gov/vuln/detail/CVE-2019-5737
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019