CVE-2018-7167: Buffer Overflow
First published: Wed Jun 13 2018(Updated: )
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases. All versions of Node.js 6.x (LTS "Boron"), 8.x (LTS "Carbon"), and 9.x are vulnerable. All versions of Node.js 10.x (Current) are NOT vulnerable.
Credit: cve-request@iojs.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| F5 BIG-IP and BIG-IQ Centralized Management | >=17.1.0<=17.1.2 | 17.5.017.1.2.2 |
| F5 BIG-IP and BIG-IQ Centralized Management | >=16.1.0<=16.1.5 | 16.1.6 |
| F5 BIG-IP and BIG-IQ Centralized Management | >=15.1.0<=15.1.10 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=14.1.0<=14.1.5 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=13.1.0<=13.1.5 | |
| F5 BIG-IP and BIG-IQ Centralized Management | >=8.0.0<=8.4.0 | |
| Langgenius Dify Node.js | >6.9.0<6.14.3 | |
| Langgenius Dify Node.js | >=8.9.0<8.11.3 | |
| Langgenius Dify Node.js | >=9.0.0<9.11.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-7167?
CVE-2018-7167 is classified as a Denial of Service vulnerability due to the potential for hanging behavior when using Buffer.fill() or Buffer.alloc().
How do I fix CVE-2018-7167?
To fix CVE-2018-7167, upgrade to the patched versions of Node.js or F5 BIG-IP as specified in the vulnerability reports.
Which software versions are affected by CVE-2018-7167?
CVE-2018-7167 affects multiple versions of Node.js from 6.9.0 to 6.14.3, 8.9.0 to 8.11.3, and 9.0.0 to 9.11.2, as well as specific versions of F5 BIG-IP.
What kind of attack can CVE-2018-7167 facilitate?
CVE-2018-7167 can facilitate a Denial of Service attack by causing the application to hang when certain conditions are met.
Is CVE-2018-7167 a critical vulnerability?
While CVE-2018-7167 is significant, it is primarily a Denial of Service issue which does not allow for remote code execution, making it less critical than other vulnerabilities.
- agent/type
- agent/author
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/references
- agent/severity
- agent/description
- agent/event
- agent/source
- agent/tags
- collector/f5-advisory
- source/F5
- alias/CVE-2018-7167
- alias/CVE-2018-12115
- alias/CVE-2018-12116
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/f5
- canonical/f5 big-ip and big-iq centralized management
- version/f5 big-ip and big-iq centralized management/17.1.0
- version/f5 big-ip and big-iq centralized management/17.1.2
- version/f5 big-ip and big-iq centralized management/16.1.0
- version/f5 big-ip and big-iq centralized management/16.1.5
- version/f5 big-ip and big-iq centralized management/15.1.0
- version/f5 big-ip and big-iq centralized management/15.1.10
- version/f5 big-ip and big-iq centralized management/14.1.0
- version/f5 big-ip and big-iq centralized management/14.1.5
- version/f5 big-ip and big-iq centralized management/13.1.0
- version/f5 big-ip and big-iq centralized management/13.1.5
- version/f5 big-ip and big-iq centralized management/8.0.0
- version/f5 big-ip and big-iq centralized management/8.4.0
- vendor/nodejs
- canonical/langgenius dify node.js
- version/langgenius dify node.js/8.9.0
- version/langgenius dify node.js/9.0.0