CVE-2018-7167
Published: 13 June 2018
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
From the Ubuntu Security Team
It was discovered that the Buffer.fill() and Buffer.alloc() methods improperly handled certain inputs. An attacker could use this vulnerability to cause a denial of service.
Priority
Status
Package | Release | Status |
---|---|---|
nodejs Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Released
(8.10.0~dfsg-2ubuntu0.4+esm1)
Available with Ubuntu Pro |
|
cosmic |
Not vulnerable
(8.11.4~dfsg-0ubuntu1)
|
|
disco |
Not vulnerable
(10.15.1~dfsg-5)
|
|
eoan |
Not vulnerable
(10.15.1~dfsg-5)
|
|
focal |
Not vulnerable
(10.15.1~dfsg-5)
|
|
groovy |
Not vulnerable
(10.15.1~dfsg-5)
|
|
hirsute |
Not vulnerable
(10.15.1~dfsg-5)
|
|
impish |
Not vulnerable
(10.15.1~dfsg-5)
|
|
jammy |
Not vulnerable
(10.15.1~dfsg-5)
|
|
kinetic |
Not vulnerable
(10.15.1~dfsg-5)
|
|
lunar |
Not vulnerable
(10.15.1~dfsg-5)
|
|
mantic |
Not vulnerable
(10.15.1~dfsg-5)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(8.11.3,10.4.1)
|
|
xenial |
Needed
|
|
Patches: upstream: https://github.com/nodejs/node/commit/c5a2748d8f upstream: https://github.com/nodejs/node/commit/25c5111ca4 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
References
- https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167
- https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/
- https://ubuntu.com/security/notices/USN-4796-1
- https://www.cve.org/CVERecord?id=CVE-2018-7167
- NVD
- Launchpad
- Debian