Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6F6768C352D35E635941DEB363A246932AED6F313203D35ADA25B85FA350C55A
HistorySep 11, 2018 - 6:41 p.m.

Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud

2018-09-1118:41:01
www.ibm.com
13

0.042 Low

EPSS

Percentile

92.3%

JSON

Summary

OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has addressed the applicable CVEs. Security vulnerabilities have been reported in Node.js that affect IBM® SDK for Node.js™ in IBM Cloud.

Vulnerability Details

CVEID: CVE-2018-0732 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144658&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-12115 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an out-of-bounds write in Buffer. An attacker could exploit this vulnerability to write to memory outside of a Buffer’s memory space, corrupt Buffer objects or cause the process to crash.
CVSS Base Score: 8.2
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148426&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

CVEID: CVE-2018-7166 DESCRIPTION: Node.js could allow a remote attacker to obtain sensitive information, caused by the return of uninitialized memory by the Buffer.alloc() function. By sending a specially crafted argument, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148425&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-0737 DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141679&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-7167 DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144740&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7164 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading from the network into JavaScript using the net.Socket object directly as a stream. By sending tiny chunks of data in short succession, a remote attacker could exploit this vulnerability to cause the application to exhaust all memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144739&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7162 DESCRIPTION: Node.js is vulnerable to a denial of service. By sending duplicate/unexpected messages during the handshake, a remote attacker could exploit this vulnerability to cause the node server providing an http server supporting TLS server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144738&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1000168 DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141584&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7161 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

These vulnerabilities affect IBM SDK for Node.js v6.14.3 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v8.11.3 and earlier releases.

You can also find this file through the command-line Cloud Foundry client by running the following command:

cf ssh <appname> -c “cat staging_info.yml”

Look for the following lines:
{“detected_buildpack”:“SDK for Node.js™ (ibm-node.js-xxx, buildpack-v3.xxx)”,“start_command”:“./vendor/initial_startup.rb”}

If the Node.js engine version is not at least v6.14.4 or v8.11.4 your application may be vulnerable.

Remediation/Fixes

The fixes for these vulnerabilities are included in IBM SDK for Node.js v6.14.4 and subsequent releases.
The fixes for these vulnerabilities are included in IBM SDK for Node.js v8.11.4 and subsequent releases.

To upgrade to the latest version of the Node.js runtime, please specify the latest Node.js runtime in your package.json file for your application:

“engines”: {
“node”: “>=6.14.4”
},
_or _
“engines”: {
“node”: “>=8.11.4”
},

You will then need to restage (or re-push) your application using the IBM SDK for Node.js Buildpack v3.22.

Workarounds and Mitigations

none

CPENameOperatorVersion
ibm sdk for node.js for cloudeqany

Related

freebsd 3
nessus 53
ibm 23
nodejsblog 2
openvas 38
altlinux 3
fedora 6
redhat 4
suse 6
photon 3
oraclelinux 5
osv 6
slackware 1
symantec 1
debian 2
mageia 1
f5 4
cloudfoundry 1
ubuntu 2
gentoo 1
paloalto 1
ubuntucve 3
cloudlinux 1
veracode 3
cve 3
cvelist 3
prion 4
nvd 3
alpinelinux 3
redhatcve 3
checkpoint_advisories 2
cbl_mariner 2
debiancve 2
amazon 1
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-06-12 00:00:00
node.js -- multiple vulnerabilities
2018-08-16 00:00:00
nghttp2 -- Denial of service due to NULL pointer dereference
2018-04-04 00:00:00
nessus
nessus
Node.js multiple vulnerabilities (July 2018 Security Releases).
2018-11-14 00:00:00
FreeBSD : node.js -- multiple vulnerabilities (45b8e2eb-7056-11e8-8fab-63ca6e0e13a2)
2018-06-15 00:00:00
Node.js Multiple Vulnerabilities (August 2018 Security Releases)
2018-11-14 00:00:00
ibm
ibm
Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161)
2018-09-26 18:40:01
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11
2018-11-20 12:45:01
Security Bulletin: IBM API Connect is affected by OpenSSL vulnerabilities (CVE-2018-0732 CVE-2018-12115 CVE-2018-7166 CVE-2018-0737)
2018-10-23 15:10:01
nodejsblog
nodejsblog
June 2018 Security Releases
2018-06-12 00:00:00
August 2018 Security Releases
2018-08-11 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:1918-1)
2021-06-09 00:00:00
Fedora Update for nodejs FEDORA-2018-79841c871e
2018-07-03 00:00:00
openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2018:1963-1)
2018-10-26 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 8.11.3-alt1
2018-06-30 00:00:00
Security fix for the ALT Linux 10 package node version 8.11.4-alt1
2018-08-29 00:00:00
Security fix for the ALT Linux 9 package openssl10 version 1.0.2p-alt1
2018-08-16 00:00:00
fedora
fedora
[SECURITY] Fedora 27 Update: nodejs-8.11.3-1.fc27
2018-07-01 22:24:06
[SECURITY] Fedora 28 Update: nodejs-8.11.3-1.fc28
2018-06-18 16:20:43
[SECURITY] Fedora 28 Update: openssl-1.1.0i-1.fc28
2018-09-22 20:52:36
redhat
redhat
(RHSA-2018:2553) Moderate: Red Hat OpenShift Application Runtimes Node.js 10.9.0 security update
2018-08-22 21:04:25
(RHSA-2018:2949) Important: rh-nodejs8-nodejs security update
2018-10-18 09:47:33
(RHSA-2018:2552) Moderate: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update
2018-08-22 21:04:23
suse
suse
Security update for nodejs8 (moderate)
2018-07-14 03:11:40
Security update for nodejs6 (moderate)
2018-09-24 12:15:49
Security update for nodejs4 (moderate)
2018-09-08 12:14:51
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0093
2018-09-14 00:00:00
Important Photon OS Security Update - PHSA-2018-0093
2018-09-14 00:00:00
Important Photon OS Security Update - PHSA-2018-0185
2018-09-17 00:00:00
oraclelinux
oraclelinux
openssl security update
2018-10-15 00:00:00
openssl security update
2018-10-12 00:00:00
openssl security update
2018-10-15 00:00:00
osv
osv
openssl - security update
2018-07-28 00:00:00
CVE-2018-1000168
2018-05-08 15:29:00
openssl1.0 - security update
2018-12-19 00:00:00
slackware
slackware
[slackware-security] openssl
2018-08-15 00:18:35
symantec
symantec
OpenSSL Vulnerabilities 16-Apr-2018 and 12-Jun-2018
2018-10-10 08:01:01
debian
debian
[SECURITY] [DLA 1449-1] openssl security update
2018-07-28 03:56:18
[SECURITY] [DSA 4355-1] openssl1.0 security update
2018-12-19 22:29:59
mageia
mageia
Updated openssl packages fix security vulnerabilities
2018-09-02 22:07:30
f5
f5
K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
2023-10-02 00:00:00
K000136924 : Node.JS vulnerabilities CVE-2018-7158, CVE-2018-7164, and CVE-2018-7166
2023-09-20 00:00:00
K49902412 : nghttp vulnerability CVE-2018-1000168
2018-04-12 00:00:00
cloudfoundry
cloudfoundry
USN-3692-1: OpenSSL vulnerabilities | Cloud Foundry
2018-07-10 00:00:00
ubuntu
ubuntu
OpenSSL vulnerabilities
2018-06-26 00:00:00
OpenSSL vulnerabilities
2018-06-26 00:00:00
gentoo
gentoo
Node.js: Multiple vulnerabilities
2020-03-20 00:00:00
paloalto
paloalto
OpenSSL Vulnerabilities in PAN-OS
2018-10-11 00:00:00
ubuntucve
ubuntucve
CVE-2018-1000168
2018-04-12 00:00:00
CVE-2018-7162
2018-06-13 00:00:00
CVE-2018-7166
2018-08-21 00:00:00
cloudlinux
cloudlinux
Fix of CVE: CVE-2018-0739, CVE-2018-0737, CVE-2021-3712, CVE-2018-0732
2021-09-21 22:11:57
veracode
veracode
Denial Of Service (DoS)
2018-11-20 05:23:08
Out-of-Bounds (OOB) Write
2019-01-15 09:26:04
Out-of-Bounds (OOB) Write
2018-08-17 07:37:44
cve
cve
CVE-2018-7166
2018-08-21 12:29:00
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7162
2018-06-13 16:29:01
cvelist
cvelist
CVE-2018-7166
2018-08-12 00:00:00
CVE-2018-12115
2018-08-12 00:00:00
CVE-2018-1000168
2018-05-08 15:00:00
prion
prion
Input validation
2018-05-08 15:29:00
Design/Logic Flaw
2018-08-21 12:29:00
Design/Logic Flaw
2018-06-13 16:29:00
nvd
nvd
CVE-2018-12115
2018-08-21 12:29:00
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7161
2018-06-13 16:29:01
alpinelinux
alpinelinux
CVE-2018-12115
2018-08-21 12:29:00
CVE-2018-7161
2018-06-13 16:29:01
CVE-2018-1000168
2018-05-08 15:29:00
redhatcve
redhatcve
CVE-2018-7162
2019-10-21 08:20:27
CVE-2018-1000168
2019-10-25 06:31:58
CVE-2018-12115
2019-10-22 05:58:44
checkpoint_advisories
checkpoint_advisories
Node.js Foundation Node.js TLS Denial of Service (CVE-2018-7162)
2019-02-14 00:00:00
Node.js Foundation Node.js nghttp2 nghttp2_frame_altsvc_free Null Pointer Dereference (CVE-2018-1000168)
2019-02-14 00:00:00
cbl_mariner
cbl_mariner
CVE-2018-7162 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2018-1000168 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
debiancve
debiancve
CVE-2018-12115
2018-08-21 12:29:00
CVE-2018-1000168
2018-05-08 15:29:00
amazon
amazon
Medium: nghttp2
2018-05-24 17:59:00

0.042 Low

EPSS

Percentile

92.3%

JSON
Related for 6F6768C352D35E635941DEB363A246932AED6F313203D35ADA25B85FA350C55A
freebsd3nessus53ibm23nodejsblog2openvas38altlinux3fedora6redhat4suse6photon3oraclelinux5osv6slackware1symantec1debian2mageia1f54cloudfoundry1ubuntu2gentoo1paloalto1ubuntucve3cloudlinux1veracode3cve3cvelist3prion4nvd3alpinelinux3redhatcve3checkpoint_advisories2cbl_mariner2debiancve2amazon1