Panzura Security Advisory PFOS-2017-003
|Title:||node.js Out of Bounds Access and Denial of Service|
|Affected Products:||PFOS – 7.X versions through 220.127.116.11|
The GUI component of PFOS software contains two vulnerabilities. One in which out of bounds data was being read, and one which allowed a DNS attack to cause a denial of service.
The GUI component of PFOS is implemented using node.js. Two recent vulnerabilities were discovered. The first allowed a specially crafted DNS packet to cause the GUI to read out of bounds data. The second allowed another specially crafted DNS packet to cause a denial of service against the GUI.
Panzura is in the process of creating upgrades for all supported releases. Release notes for the new versions outlining the correction of this vulnerability will be documented here.
See https://nodesource.com/blog/node-js-security-release-summary-july-2017/ for more information.