The initial report was made publicly, including a proof of concept exploit, and is currently viewable via google cache.
The censored issue report is referenced with a metasploit pull request containing code that can be used to exploit.
Given this, I'd say sooner is better than later.
It would be prudent to mention making your load balancer limit the number of requests than can be pipelined down a single connection should resolve any issue.
The metasploit exploit was possible only thanks to the release (see the tweets of metasploit maintainer @hdmoore), IMO they could have waited until Monday morning to release it.
While the security update protocol leaves something to be desired, the possibility of a DoS attach is not quite as bad as a vulnerability that leaks real information. If that were to happen, I'd hope all the steps you've outlined would be followed.
Boohoo; 1 or 2 Hubots and Ghost blogs might crash over the weekend. If you're as paranoid as you seem to be, you have someone on call to fix this and wouldn't have dared to have put such an untested technology out in the wild.
HTTP Pipelining is designed so a client can send multiple requests without waiting on a response and then the server sends all the responses in order. This is helpful on high latency links since it can combine numerous HTTP requests into fewer packets. The exploit is the client never stops to read and just writes requests nonstop. Meanwhile node's http.Server continually populates a response buffer which is never consumed.
Node uses Stream[1] objects for reading/writing streams of data. The Stream object has a 'needsDrain' boolean which is set once its internal buffer surpasses the highWaterMark (defaults to 16kb). Subsequent writes will return false[2] and code should wait until the 'drain' event is emitted, signaling it's safe to write again[3]. The documentation even warns about this scenario:
> However, writes will be buffered in memory, so it is best not to do this excessively. Instead, wait for the drain event before writing more data.
http.Server[4] uses a writeable stream to send responses to a client. Until this patch[5] it was ignoring the needsDrain/highWaterMark status and just writing to the stream. It fills up the buffer of the writeable stream, far beyond the high water mark and eventually runs out of memory.
The patch resolves this by checking when needsDrain is set, then it stops writing and stops reading/parsing incoming data. It then waits until the 'drain' event is fired and then proceeds as normal.
Node team: you're censoring the original ticket, which is unwise IHMO.
Your approach makes it impossible for an honest sysadmin to quickly find a way to block the attack using a firewall, but your approach doesn't stop an attacker from building an exploit based on the public commit.
Someone will come up with a proof of concept exploit quickly, and post it, probably here.
Please do the right thing: un-censor the GitHub ticket so we can understand what's happening.
> Your approach makes it impossible for an honest sysadmin to quickly find a way to block the attack using a firewall, but your approach doesn't stop an attacker from building an exploit based on the public commit.
This is unfair. You're implying that sysadmins don't have access to programming resources, but that attackers do, without actually coming out and saying it.
Once it's expressed this way, it seems wrongheaded. The phrase "script kiddies" comes out of attackers doing a lot without knowing much about programming. There are many sysadmins who code, and many attackers who don't. Furthermore, I think attackers are more likely to act alone than sysadmins, who often have developers working with them whom they can ask to help.
Finally, as far as I can tell this is self-censorship. The people who created the ticket participated in the decision to hide it, or aren't loudly objecting to it. This type of "censorship" is not to be confused with more serious forms of censorship.
So what they did is: release a new version with security and other changes mixed, on Friday, and didn't provide any details so you can't check if you're vulnerable post-upgrade. They could really handle it a bit better.
It struck me as an oddly specific part of a large codebase to immediately jump to, but in retrospect it makes sense.
I'm all for reading code, but I think that if you can get away with not reading code, it's actually a good sign - it means all the abstractions are holding up. jgreen10 probably didn't go off and start reading the assembly code that is generated when you compile Node.js. Again, I agree with your larger point. I just want to be careful before snubbing my nose to those who don't always read up on modules they use before using them.
Funny I noticed this on an internal server as well but chucked to an older version. Hoping it "clearly is fixed in latest code, something so glaringly obviously broken, wouldn't be hanging around too long with all the hype surrounding node these days..."
Anyway, I wouldn't stick node out exposed to the outside world. Granted sticking nginx in front presumely won't help with this issue. Just keep feeding a 4GB file to it and it will crash the back-end [EDIT: n.m. I am not sure anymore, someone mentions it is possible to mitigate it that way]
Yikes, this is a bad one. Glad they fixed it. But it leaves me with the same impression I had after finding out how MongoDB used to have unacknowledged writes turned on by default, and people's data was silently getting corrupted.
(EDIT: explanation, this creates 2g file then uploads it <myresource> as a file upload -- multipart mime. @ sign just insert the named file data into the form)
Nah. It's a DoS vulnerability, which, in general, you're always vulnerable to. It's just that this one can be done by a single person with relatively low bandwidth.
- Distributions weren't contacted prior the release.
- Everyone can see the diff for the fix in the codebase.
- There are a PoC as test-case in the code.
- The release was done in the start of weekend when everyone in America is leaving the office and everyone in Europe is sleeping.
- A big part of the community is in two conferences right now.
IMHO that was the worst way to provide a security update.