Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM71214CC681DBA526F334234737E66EEE4E277A6AABC6F29F058AD8A676E36BE0
HistoryMar 23, 2020 - 8:41 p.m.

Security Bulletin: Vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11

2020-03-2320:41:52
www.ibm.com
12

0.01 Low

EPSS

Percentile

83.8%

JSON

Summary

IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js version 8 for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID: CVE-2019-5739 DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode forcing the connection to remain open and inactive for up to 2 minutes, a remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158096&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-16487 DESCRIPTION: Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution flaw. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to inject properties onto Object.prototype to cause a denial of service condition.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/156530&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2019-1559 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/157514&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.16

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.4

Remediation/Fixes

Product VRMF APAR Remediation/Fix
IBM Integration Bus V10.0.0.0 -V10.0.0.16

IT29244,

IT29245 ,

IT29246

|

The APAR is available in fix pack 10.0.0.17

IBM Integration Bus V10.0 - Fix Pack 10.0.0.17

IBM App Connect Enterprise V11 | V11.0.0.0 -V11.0.0.4 |

IT29244,

IT29245 ,

IT29246

|

The APAR is available in fix pack 11.0.0.5

IBM App Connect Enterprise Version V11 - Fix Pack 11.0.0.5

CPENameOperatorVersion
ibm integration buseqany

Related

nessus 54
ibm 47
openvas 31
suse 6
freebsd 2
prion 3
github 1
redhatcve 3
hackerone 1
ubuntucve 3
nodejsblog 1
nvd 3
osv 7
cvelist 3
cve 3
debiancve 3
nodejs 1
veracode 2
cloudfoundry 1
ubuntu 2
paloalto 1
redhat 2
altlinux 1
aix 1
centos 2
f5 1
archlinux 2
alpinelinux 1
debian 2
symantec 1
slackware 1
openssl 1
mageia 1
qualysblog 1
gentoo 1
amazon 3
nessus
nessus
openSUSE Security Update : nodejs6 (openSUSE-2019-1173)
2019-04-09 00:00:00
SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2019:0818-1)
2019-04-01 00:00:00
openSUSE Security Update : nodejs4 (openSUSE-2019-1076)
2019-03-29 00:00:00
ibm
ibm
Security Bulletin: Secure Gateway is affected by multiple vulnerabilities
2019-06-06 17:15:01
Security Bulletin: Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE's (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739)
2019-09-17 17:32:30
Security Bulletin: Multiple Security Vulnerabilities affect IBM Cloud Private (CVE-2019-5739 CVE-2019-5737 CVE-2019-1559)
2019-07-02 17:50:01
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2019:0658-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2019:0818-1)
2021-06-09 00:00:00
openSUSE: Security Advisory for nodejs6 (openSUSE-SU-2019:1173-1)
2019-04-09 00:00:00
suse
suse
Security update for nodejs4 (moderate)
2019-03-28 00:00:00
Security update for nodejs6 (moderate)
2019-04-08 00:00:00
Security update for openssl (moderate)
2019-04-08 00:00:00
freebsd
freebsd
Node.js -- multiple vulnerabilities
2019-02-28 00:00:00
OpenSSL -- Padding oracle vulnerability
2019-02-19 00:00:00
prion
prion
Buffer overflow
2019-02-01 18:29:00
Design/Logic Flaw
2019-03-28 17:29:00
Design/Logic Flaw
2019-02-27 23:29:00
github
github
Prototype Pollution in lodash
2019-02-07 18:16:48
redhatcve
redhatcve
CVE-2018-16487
2019-02-01 23:49:27
CVE-2019-5739
2020-04-03 07:51:46
CVE-2019-1559
2019-10-08 17:49:09
hackerone
hackerone
Node.js third-party modules: Prototype pollution attack (lodash / constructor.prototype)
2018-07-12 08:28:18
ubuntucve
ubuntucve
CVE-2018-16487
2019-02-01 00:00:00
CVE-2019-5739
2019-03-28 00:00:00
CVE-2019-1559
2019-02-26 00:00:00
nodejsblog
nodejsblog
February 2019 Security Releases
2019-02-28 00:00:00
nvd
nvd
CVE-2018-16487
2019-02-01 18:29:00
CVE-2019-5739
2019-03-28 17:29:01
CVE-2019-1559
2019-02-27 23:29:00
osv
osv
CVE-2018-16487
2019-02-01 18:29:00
Prototype Pollution in lodash
2019-02-07 18:16:48
CVE-2019-5739
2019-03-28 17:29:01
cvelist
cvelist
CVE-2018-16487
2019-02-01 18:00:00
CVE-2019-5739
2019-03-28 16:27:34
CVE-2019-1559 0-byte record padding oracle
2019-02-26 00:00:00
cve
cve
CVE-2018-16487
2019-02-01 18:29:00
CVE-2019-5739
2019-03-28 17:29:01
CVE-2019-1559
2019-02-27 23:29:00
debiancve
debiancve
CVE-2018-16487
2019-02-01 18:29:00
CVE-2019-5739
2019-03-28 17:29:01
CVE-2019-1559
2019-02-27 23:29:00
nodejs
nodejs
Prototype Pollution
2019-02-13 16:16:53
veracode
veracode
Prototype Pollution Attack
2018-11-01 08:55:31
Padding Oracle Attack
2019-03-01 01:32:23
cloudfoundry
cloudfoundry
USN-3899-1: OpenSSL vulnerability | Cloud Foundry
2019-03-21 00:00:00
ubuntu
ubuntu
OpenSSL vulnerability
2019-02-27 00:00:00
OpenSSL vulnerabilities
2020-07-09 00:00:00
paloalto
paloalto
OpenSSL vulnerability CVE-2019-1559 has been resolved in PAN-OS
2019-12-04 17:00:00
redhat
redhat
(RHSA-2019:2471) Moderate: openssl security update
2019-08-13 14:07:51
(RHSA-2019:2304) Moderate: openssl security and bug fix update
2019-08-06 08:23:32
altlinux
altlinux
Security fix for the ALT Linux 9 package openssl10 version 1.0.2r-alt1
2019-03-20 00:00:00
aix
aix
There is a vulnerability in OpenSSL used by AIX.
2019-04-16 10:48:55
centos
centos
openssl security update
2019-08-16 21:53:45
openssl security update
2019-08-30 03:49:42
f5
f5
K18549143 : OpenSSL vulnerability CVE-2019-1559
2019-03-19 00:00:00
archlinux
archlinux
[ASA-201903-6] lib32-openssl-1.0: information disclosure
2019-03-03 00:00:00
[ASA-201903-2] openssl-1.0: information disclosure
2019-03-02 00:00:00
alpinelinux
alpinelinux
CVE-2019-1559
2019-02-27 23:29:00
debian
debian
[SECURITY] [DSA 4400-1] openssl1.0 security update
2019-02-28 22:13:35
[SECURITY] [DLA 1701-1] openssl security update
2019-03-01 22:55:06
symantec
symantec
OpenSSL CVE-2019-1559 Information Disclosure Vulnerability
2019-02-26 00:00:00
slackware
slackware
[slackware-security] openssl (slackware 14.2)
2019-02-27 04:12:59
openssl
openssl
Vulnerability in OpenSSL CVE-2019-1559
2019-02-26 00:00:00
mageia
mageia
Updated openssl packages fix security vulnerability
2019-03-07 19:34:45
qualysblog
qualysblog
Zombie POODLE and GOLDENDOODLE Vulnerabilities
2019-04-22 08:40:40
gentoo
gentoo
OpenSSL: Multiple vulnerabilities
2019-03-14 00:00:00
amazon
amazon
Medium: openssl
2019-04-04 21:45:00
Medium: openssl
2019-11-11 17:41:00
Medium: openssl
2019-04-04 19:13:00

0.01 Low

EPSS

Percentile

83.8%

JSON
Related for 71214CC681DBA526F334234737E66EEE4E277A6AABC6F29F058AD8A676E36BE0
nessus54ibm47openvas31suse6freebsd2prion3github1redhatcve3hackerone1ubuntucve3nodejsblog1nvd3osv7cvelist3cve3debiancve3nodejs1veracode2cloudfoundry1ubuntu2paloalto1redhat2altlinux1aix1centos2f51archlinux2alpinelinux1debian2symantec1slackware1openssl1mageia1qualysblog1gentoo1amazon3