Allele Security Alert
ASA-2019-00121
Identifier(s)
ASA-2019-00121, CVE-2019-5739
Title
Denial of Service with keep-alive HTTP connections
Vendor(s)
The Node.js Project
Product(s)
Node.js
Affected version(s)
All versions of Node.js 6 (LTS “Boron”)
Fixed version(s)
Node.js 6.17.0 (LTS “Boron”)
Proof of concept
Unknown
Description
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
Technical details
Unknown
Credits
Timur Shemsedinov and Matteo Collina
Reference(s)
February 2019 Security Releases
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
http: destroy sockets after keepAliveTimeout
https://github.com/nodejs/node/commit/f23b3b6bad
CVE-2019-5739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5739
CVE-2019-5739
https://nvd.nist.gov/vuln/detail/CVE-2019-5739
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019