Amazon Linux 2 : http-parser (ALAS-2019-1322)

medium Nessus Plugin ID 130219

Synopsis

The remote Amazon Linux 2 host is missing a security update.

Description

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.(CVE-2018-12121)

It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior.(CVE-2018-7159)

Solution

Run 'yum update http-parser' to update your system.

See Also

https://alas.aws.amazon.com/AL2/ALAS-2019-1322.html

Plugin Details

Severity: Medium

ID: 130219

File Name: al2_ALAS-2019-1322.nasl

Version: 1.2

Type: local

Agent: unix

Published: 10/25/2019

Updated: 12/18/2019

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-7159

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:http-parser, cpe:/o:amazon:linux:2, p-cpe:/a:amazon:linux:http-parser-debuginfo, p-cpe:/a:amazon:linux:http-parser-devel

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 10/23/2019

Vulnerability Publication Date: 5/17/2018

Reference Information

CVE: CVE-2018-12121, CVE-2018-7159

ALAS: 2019-1322