CVE-2019-15604

7.5 HIGH

Denial of Service

📋 TL;DR

CVE-2019-15604 is an improper certificate validation vulnerability in Node.js that causes the process to crash when processing a specially crafted X.509 certificate. This affects Node.js 10.x, 12.x, and 13.x versions, potentially leading to denial of service for applications that handle TLS/SSL connections. Any Node.js server or application using TLS/SSL with affected versions is vulnerable.

💻 Affected Systems

Products:

Node.js

Versions: 10.x (before 10.17.0), 12.x (before 12.13.1), 13.x (before 13.3.0)

Operating Systems: All platforms running affected Node.js versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using TLS/SSL functionality. Applications not handling TLS connections are not vulnerable.

📦 What is this software?

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could send crafted certificates to cause Node.js processes to crash, leading to complete denial of service for affected applications and potential service disruption.

🟠

Likely Case

Denial of service through process crashes when malicious certificates are processed, disrupting TLS/SSL functionality in Node.js applications.

🟢

If Mitigated

With proper network controls and certificate validation, impact is limited to potential crashes only when malicious certificates bypass filters.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted certificates to vulnerable TLS endpoints. No authentication needed if TLS endpoint is exposed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Node.js 10.17.0, 12.13.1, 13.3.0 or later

Vendor Advisory: https://nodejs.org/en/blog/vulnerability/december-2019-security-releases/

Restart Required: Yes

Instructions:

1. Check current Node.js version: node --version
2. Update to patched version using package manager:
- Ubuntu/Debian: apt update && apt upgrade nodejs
- RHEL/CentOS: yum update nodejs
- Using nvm: nvm install 10.17.0 (or appropriate version)
3. Restart all Node.js applications and services

🔧 Temporary Workarounds

Network filtering for certificate traffic

all

Implement network controls to filter or block suspicious certificate traffic to TLS endpoints

Load balancer certificate validation

all

Use load balancers or reverse proxies with strict certificate validation before traffic reaches Node.js

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable Node.js applications from untrusted networks
Deploy WAF or reverse proxy with certificate validation in front of vulnerable applications

🔍 How to Verify

Check if Vulnerable:

Run: node --version and check if version is 10.x (<10.17.0), 12.x (<12.13.1), or 13.x (<13.3.0)

Check Version:

node --version

Verify Fix Applied:

After patching, verify node --version shows 10.17.0+, 12.13.1+, or 13.3.0+. Test TLS functionality remains operational.

📡 Detection & Monitoring

Log Indicators:

Node.js process crashes or abnormal terminations
TLS handshake failures with unusual certificates
Increased error rates in TLS connections

Network Indicators:

Unusual certificate traffic to Node.js TLS ports
Multiple connection attempts with malformed certificates

SIEM Query:

source="nodejs" AND (event="process_exit" OR event="crash" OR message="TLS handshake error")

📊 Metadata

CVE ID: CVE-2019-15604

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-295

Published: February 7, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0573 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0579 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0598 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0602 Third Party Advisory
https://hackerone.com/reports/746733 Exploit,Third Party Advisory
https://nodejs.org/en/blog/release/v10.19.0/ Release Notes,Vendor Advisory
https://nodejs.org/en/blog/release/v12.15.0/ Release Notes,Vendor Advisory
https://nodejs.org/en/blog/release/v13.8.0/ Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ Vendor Advisory
https://security.gentoo.org/glsa/202003-48 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0004/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4669 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Patch,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00008.html Mailing List,Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0573 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0579 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0597 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0598 Third Party Advisory
https://access.redhat.com/errata/RHSA-2020:0602 Third Party Advisory
https://hackerone.com/reports/746733 Exploit,Third Party Advisory
https://nodejs.org/en/blog/release/v10.19.0/ Release Notes,Vendor Advisory
https://nodejs.org/en/blog/release/v12.15.0/ Release Notes,Vendor Advisory
https://nodejs.org/en/blog/release/v13.8.0/ Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ Vendor Advisory
https://security.gentoo.org/glsa/202003-48 Third Party Advisory
https://security.netapp.com/advisory/ntap-20200221-0004/ Third Party Advisory
https://www.debian.org/security/2020/dsa-4669 Third Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.html Patch,Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Eus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Aus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Enterprise Linux Server Tus by Redhat

Graalvm by Oracle

Graalvm by Oracle

Leap by Opensuse

Node.js by Nodejs

Node.js by Nodejs

Node.js by Nodejs

Software Collections by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network filtering for certificate traffic

Load balancer certificate validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities