US-CERT: Vulnerability in the V8 JavaScript engine...

Jul 7, 2015 at 4:01 PM
There was a recent US-CERT alert in regards to V8 vulnerability found in applications using node.js and io.js, which is followed with updates to those platforms. Brief details of it could be found here: https://www.us-cert.gov/ncas/current-activity/2015/07/06/Security-Updates-Nodejs-and-iojs (read blog links in the article above for more info).

Is this something that ClearScript team is aware of? And if so, is there a preventive measure for it in the ClearScript API or not? I'm not quite sure whether Google's V8 team have had any chance to "fix" it on their side.

Thanks,
Max
Coordinator
Jul 17, 2015 at 2:35 PM
Hi Max,

We were not aware of this issue, but presumably the V8 team is.

In any case, our normal procedure is to pair each ClearScript release with the latest stable version of V8 on Windows as indicated here. The stable V8 versions are supported and receive security fixes as long as they remain in use and continue to be listed on that site. Bug fix releases on the stable branch should work with ClearScript, but you'll have to build them manually, overriding V8Update's compatibility warning.

All that having been said, ClearScript's latest release is paired with V8 4.2.77, which is no longer being updated. Although the latest version (.21) is newer than the one we tested, it doesn't appear to have the security fix.

All we can recommend at this time is that you try using a newer V8 branch or apply the Node.js or io.js patches to V8 4.2.77. The next ClearScript release will be paired with a new V8 version that should contain the fix.

Thanks, and good luck!
Jul 24, 2015 at 8:43 PM
Thank you for details...

Regards,
Max
Coordinator
Aug 17, 2015 at 3:42 PM
Hi Max,

ClearScript 5.4.3 uses V8 4.4.63.29, which includes a fix for this vulnerability.

Cheers!