PZOS-2017-003: node.js Out of Bounds Access and Denial of Service

Issue Date: 2017/07/18
Updated Date: 2017/07/18
Title: node.js Out of Bounds Access and Denial of Service
Classification: Low
Status: Closed
Affected Products: PZOS – 7.X versions through 7.0.0.1

Summary

The GUI component of PZOS software contains two vulnerabilities. One in which out of bounds data was being read, and one which allowed a DNS attack to cause a denial of service.

Details

The GUI component of PZOS is implemented using node.js. Two recent vulnerabilities were discovered. The first allowed a specially crafted DNS packet to cause the GUI to read out of bounds data. The second allowed another specially crafted DNS packet to cause a denial of service against the GUI.

See https://nodesource.com/blog/node-js-security-release-summary-july-2017/ for more information.

Resolution

Upgrades are available for all supported releases. Please consult with Panzura Support on the appropriate upgrade for your environment.