Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6720DA76DC4080270DED501486287C7B59D94D2F8D7A2176D0DC69216ABD0ABB
HistorySep 26, 2018 - 6:40 p.m.

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161)

2018-09-2618:40:01
www.ibm.com
14

0.042 Low

EPSS

Percentile

92.3%

JSON

Summary

IBM Cloud Private and IBM Cloud Private Cloud Foundry are vulnerable to multiple security vulnerabilities

Vulnerability Details

CVEID: CVE-2018-7167 DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144740&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7164 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading from the network into JavaScript using the net.Socket object directly as a stream. By sending tiny chunks of data in short succession, a remote attacker could exploit this vulnerability to cause the application to exhaust all memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144739&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7162 DESCRIPTION: Node.js is vulnerable to a denial of service. By sending duplicate/unexpected messages during the handshake, a remote attacker could exploit this vulnerability to cause the node server providing an http server supporting TLS server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144738&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1000168 DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141584&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7161 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Cloud Private 2.1.0

IBM Cloud Private Cloud Foundry 2.1.0

Remediation/Fixes

Release Fixing VRM Level Platform Link to Fix
IBM Cloud Private 2.1.0.x 2.1.0.3 Fix Pack 1 + Patch Linux

2.1.0.3 Fix Pack 1

Helm API Patch

Vulnerability Advisor Patch

IBM Cloud Private Cloud Foundry 2.1.0.x | 2.1.0.3 Fix Pack 1 | Linux | 2.1.0.3 Fix Pack 1

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeqany

Related

freebsd 2
nessus 24
nodejsblog 1
openvas 23
altlinux 1
fedora 4
suse 2
ibm 9
photon 8
ubuntucve 5
osv 7
cve 5
prion 5
f5 5
veracode 7
redhatcve 5
debiancve 5
redhat 3
checkpoint_advisories 2
alpinelinux 3
cbl_mariner 5
amazon 1
nvd 5
cvelist 5
gentoo 1
debian 1
ubuntu 1
mageia 1
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-06-12 00:00:00
nghttp2 -- Denial of service due to NULL pointer dereference
2018-04-04 00:00:00
nessus
nessus
Node.js multiple vulnerabilities (July 2018 Security Releases).
2018-11-14 00:00:00
FreeBSD : node.js -- multiple vulnerabilities (45b8e2eb-7056-11e8-8fab-63ca6e0e13a2)
2018-06-15 00:00:00
Fedora 27 : 1:nodejs (2018-79841c871e)
2018-07-02 00:00:00
nodejsblog
nodejsblog
June 2018 Security Releases
2018-06-12 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:1918-1)
2021-06-09 00:00:00
Fedora Update for nodejs FEDORA-2018-79841c871e
2018-07-03 00:00:00
openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2018:1963-1)
2018-10-26 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 8.11.3-alt1
2018-06-30 00:00:00
fedora
fedora
[SECURITY] Fedora 27 Update: nodejs-8.11.3-1.fc27
2018-07-01 22:24:06
[SECURITY] Fedora 28 Update: nodejs-8.11.3-1.fc28
2018-06-18 16:20:43
[SECURITY] Fedora 28 Update: nghttp2-1.31.1-1.fc28
2018-04-17 00:27:10
suse
suse
Security update for nodejs8 (moderate)
2018-07-14 03:11:40
Security update for nodejs6 (moderate)
2018-07-14 03:11:04
ibm
ibm
Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM)
2022-09-15 19:20:56
Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud
2018-09-11 18:41:01
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software (CVE-2018-1000168, CVE-2018-7161)
2018-11-12 16:15:02
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0093
2018-09-14 00:00:00
Important Photon OS Security Update - PHSA-2018-0093
2018-09-14 00:00:00
Important Photon OS Security Update - PHSA-2018-0185
2018-09-17 00:00:00
ubuntucve
ubuntucve
CVE-2018-1000168
2018-04-12 00:00:00
CVE-2018-7162
2018-06-13 00:00:00
CVE-2018-7161
2018-06-13 00:00:00
osv
osv
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7162
2018-06-13 16:29:01
CVE-2018-7161
2018-06-13 16:29:01
cve
cve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7162
2018-06-13 16:29:01
CVE-2018-7161
2018-06-13 16:29:01
prion
prion
Input validation
2018-05-08 15:29:00
Design/Logic Flaw
2018-06-13 16:29:00
Design/Logic Flaw
2018-06-13 16:29:00
f5
f5
K49902412 : nghttp vulnerability CVE-2018-1000168
2018-04-12 00:00:00
K15131064 : Node.js vulnerability CVE-2018-7162
2018-06-15 00:00:00
K34369533 : Node.js vulnerability CVE-2018-7161
2018-06-15 00:00:00
veracode
veracode
Denial Of Service (DoS)
2018-11-20 05:23:08
Denial Of Service (DoS)
2018-07-31 05:45:54
Denial Of Service (DoS)
2018-06-14 04:26:39
redhatcve
redhatcve
CVE-2018-1000168
2019-10-25 06:31:58
CVE-2018-7162
2019-10-21 08:20:27
CVE-2018-7164
2020-04-01 13:58:28
debiancve
debiancve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7164
2018-06-13 16:29:01
CVE-2018-7161
2018-06-13 16:29:01
redhat
redhat
(RHSA-2018:2949) Important: rh-nodejs8-nodejs security update
2018-10-18 09:47:33
(RHSA-2019:0367) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
2019-02-18 16:47:10
(RHSA-2019:0366) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP1 security update
2019-02-18 16:45:31
checkpoint_advisories
checkpoint_advisories
Node.js Foundation Node.js nghttp2 nghttp2_frame_altsvc_free Null Pointer Dereference (CVE-2018-1000168)
2019-02-14 00:00:00
Node.js Foundation Node.js TLS Denial of Service (CVE-2018-7162)
2019-02-14 00:00:00
alpinelinux
alpinelinux
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7161
2018-06-13 16:29:01
CVE-2018-7167
2018-06-13 16:29:01
cbl_mariner
cbl_mariner
CVE-2018-1000168 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2018-7162 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2018-7164 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
amazon
amazon
Medium: nghttp2
2018-05-24 17:59:00
nvd
nvd
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7161
2018-06-13 16:29:01
CVE-2018-7162
2018-06-13 16:29:01
cvelist
cvelist
CVE-2018-1000168
2018-05-08 15:00:00
CVE-2018-7164
2018-06-12 00:00:00
CVE-2018-7161
2018-06-12 00:00:00
gentoo
gentoo
Node.js: Multiple vulnerabilities
2020-03-20 00:00:00
debian
debian
[SECURITY] [DLA 2786-1] nghttp2 security update
2021-10-17 06:03:02
ubuntu
ubuntu
Node.js vulnerabilities
2021-03-15 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2019-09-15 16:24:16

0.042 Low

EPSS

Percentile

92.3%

JSON
Related for 6720DA76DC4080270DED501486287C7B59D94D2F8D7A2176D0DC69216ABD0ABB
freebsd2nessus24nodejsblog1openvas23altlinux1fedora4suse2ibm9photon8ubuntucve5osv7cve5prion5f55veracode7redhatcve5debiancve5redhat3checkpoint_advisories2alpinelinux3cbl_mariner5amazon1nvd5cvelist5gentoo1debian1ubuntu1mageia1