February 2016 Security Release Summary

Rod Vagg

Rod Vagg

Two weeks ago we announced the planned release of updates to all active release lines, v0.10, v0.12, v4 and v5, to fix HTTP related vulnerabilities and to upgrade the bundled versions of OpenSSL.

Upon release of the OpenSSL updates we posted an impact assessment for Node.js users. We noted that the updates contained only one minor change that impacted Node.js users.

Today we have released Node.js v0.10.42 (Maintenance), v0.12.10 (LTS), v4.3.0 "Argon" (LTS) and v5.6.0 (Stable) with fixes for the announced vulnerabilities and updates to OpenSSL. (/(/(/(/ Please note that our LTS "Argon" release line has moved from v4.2.x to v4.3.x due to the security fixes enclosed. There will be no further updates to v4.2.x. Users are advised to upgrade to v4.3.0 as soon as possible.

For the purpose of understanding the impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances we are providing details below.

CVE-2016-2086 Request Smuggling Vulnerability

Régis Leroy reported defects in Node.js that can make request smuggling attacks possible under certain circumstances. To fix these defects, HTTP header parsing in Node.js, for both requests and responses, is moving closer to the formal HTTP specification in its handling of Content-Length.

While the impact of this vulnerability is application and network dependent, it is likely to be difficult to assess whether a Node.js deployment is vulnerable to attack. We therefore recommend that all users upgrade.

  • Versions 0.10.x of Node.js are vulnerable, please upgrade to v0.10.42 (Maintenance).
  • Versions 0.12.x of Node.js are vulnerable, please upgrade to [v0.12.10 (LTS)](/blo(/ease/v0.12.10/).
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade (/4.3.0 "Argon" (LTS)](/blog/release/v4.3.0/).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.6.0 (Stable).(/ (/

CVE-2016-2216 Response Splitting Vulnerability

Сковорода Никита Андреевич (Nikita Skovoroda / @ChALkeR) and Amit Klein (of Safebreach) separately reported ways in which HTTP header parsing in Node.js can be used to perform response splitting attacks (new-line / CRLF injection). While Node.js has been protecting against response splitting attacks by checking for CRLF characters, it is possible to compose response headers using Unicode characters that decompose to these characters, bypassing the checks previously in place.

To fix this defect, HTTP header parsing in Node.js, for both requests and responses, is moving closer to the formal HTTP specification. HTTP headers containing characters outside of the valid set for tokens will be rejected. This check is performed for both requests and responses, for Node.js HTTP servers and clients.

It is possible that there exist Node.js applications that rely on the lax behavior of HTTP header parsing for Node.js clients and/or servers. This change is therefore a breaking change that would normally be reserved for a semver-major version increment. However, as per our LTS policy, we are introducing this change as a semver-minor in Node.js v4 (hence the move from v4.2.x to v4.3.x) and v5 and semver-patch in v0.10 and v0.12.

Node.js LTS releases, v0.10.42, v0.12.10 and v4.3.0 (but not v5.6.0) also include a new command-line argument that can be used to turn off this new strict header parsing. By supplying --security-revert=CVE-2016-2216 when starting Node.js, the previous lenient HTTP header character checks will be used instead. Use of this option is not recommended and should only be used as a temporary migration tool where the implications of reverting the new behavior are fully understood.

We recommend that all users upgrade to receive this fix.

  • Versions 0.10.x of Node.js are vulnerable, please upgrade to v0.10.42 (Maintenance).
  • Versions 0.12.x of Node.js are vulnerable, please upgrade to [v0.12.10 (LTS)](/blo(/ease/v0.12.10/).
  • Versions 4.x, including LTS Argon, of Node.js are vulnerable, please upgrade (/4.3.0 "Argon" (LTS)](/blog/release/v4.3.0/).
  • Versions 5.x of Node.js are vulnerable, please upgrade to v5.6.0 (Stable).(/ (/

OpenSSL upgrade summary

Node.js v0.10.42 and v0.12.10 upgrades the bundled version of OpenSSL from 1.0.1q to 1.0.1r. Full details can be found in the OpenSSL 1.0.1 changelog.

Node.js v4.3.0 and v5.6.0 upgrades the bundled version of OpenSSL from 1.0.2e to 1.0.2f. Full details can be found in the OpenSSL 1.0.2 changelog.

As per our impact assessment, the following applies to these releases:

DH small subgroups (CVE-2016-0701)

Node.js v0.10 and v0.12 are not affected by this defect.

Node.js v4 and v5 use the SSL_OP_SINGLE_DH_USE option already and are therefore not affected by this defect.

SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

Node.js v0.10 and v0.12 disable SSLv2 by default and are not affected unless the --enable-ssl2 command line argument is being used (not recommended).

Node.js v4 and v5 do not support SSLv2.

An update on DHE man-in-the-middle protection (Logjam)

Previous releases of OpenSSL (since Node.js v0.10.39, v0.12.5, v4.0.0 and v5.0.0) mitigated against Logjam for TLS clients by rejecting connections from servers where Diffie-Hellman parameters were shorter than 768-bits.

The new OpenSSL release, for all Node.js lines, increases this to 1024-bits. The change only impacts TLS clients connecting to servers with weak DH parameter lengths.

Please tune in to nodejs-sec (https://groups.google.com/forum/#!forum/nodejs-sec) to receive security announcements. An Atom feed is also available for security-only posts to the nodejs.org blog.