[Editor’s note: Made some updates to clarify that Node v0.9.2 – v0.10.1 are vulnerable, and that the components a Node app might rely on, are most certainly affected.]
By now you’ve read all about the Heartbleed bug and the potential threat it poses to the users of websites and applications that make use of OpenSSL. What about websites and applications built with Node.js? Are Node apps affected by the Heartbleed bug? The short answer is yes and no. Node itself isn’t, but the components you use in conjunction with it likely are. Here’s the long answer…
What is the Heartbleed bug?
From the heartbleed.com site:
“The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Why is Node not affected?
Node core itself is not vulnerable because this problematic OpenSSL was disabled about a year ago for different reasons.
What actions do Node users need to take?
Most versions of Node.js are not vulnerable, but applications may be running behind vulnerable network components like SSL terminators. Make sure you check your applications with a Heartbeat test tool and audit your non-Node infrastructure components. Make sure to review heartbleed.com for comprehensive advice on dealing with this serious security bug.
Also, some developers are worried that the modules they rely on may be affected. For example, someone asked if Bcrypt was affected. This particular module doesn’t use or expose TLS/SSL. We aren’t aware of any modules that expose it, but in theory they could exist. Best bet is to check with the module’s maintainers if you have questions.
Finally, developer’s may also be vulnerable if they compiled Node with the –use-system-openssl flag or got it from a distro that does. The issue can be mitigated by upgrading the distro’s OpenSSL.
Where is the best place to stay on top of Node security issues in the future?
At StrongLoop, we make it our business to track and fix security issues in Node as they arise. Following us on Twitter, joining the Node development and security mailing lists are all good starts to stay on top of security developments as they pertain to Node.
To learn more about how StrongLoop can help your organization with technical support, DevOps or developing APIs in Node, please visit: strongloop.com/