The issue can be mitigated by avoiding logging absolutely anything to the log.
Red Hat has provided a workaround, which can be applied by setting the config.PUT_DEBUG in the Red Hat Node.js configuration to false. A bug was found in Node.js' XNIO networking library, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.
This issue was found to be a race condition in the server.
The issue can be mitigated by tightening the security of the code.
In addition, we have verified that this vulnerability has been patched on our upstream Node.js repository and also on the master node of all downstream Node.js distributions.
Weak SSL Ciphers
Weak SSL ciphers are a potential security threat to your business. Weak encryption ciphers can be exploited by attackers and provide less protection than a stronger cipher. While there is no reason for you to use weak encryption ciphers, you should still be aware of the issue and understand the risks involved.
To avoid these risks, it's advisable that you change the default cipher on your server from AES-128-CBC to AES-256-CBC. This will make your connection more secure when faced with a weaker cipher. For example, if you have SSL enabled on your website and an attacker sends a request which uses an old version of TLS or an older private key format, their connection would not be encrypted at all by that particular server.
An attacker could use this flaw to cause an unwanted disk fill-up.
The workaround can be applied by setting the config.PUT_DEBUG in the Red Hat Node.js configuration to false.
Overview of the Node.js Security Landscape
There has been an uptick in security vulnerabilities discovered in Node.js recently, which includes CVE-2022-0084, a flaw found in XNIO's notifyReadClosed method. This issue was found by a Node user named Zano who submitted this issue to Red Hat's Bugzilla portal on Wednesday, June 27th, 2018.
Published on: 08/26/2022 18:15:00 UTC
Last modified on: 09/01/2022 15:34:00 UTC