IBM75C04DE0F54D2EF358D0E373B3D5EEEE4D92511F683798982BDB7C911184CD66Security Bulletin: Vulnerability in Node.js affects IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition (CVE-2024-36138)
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
Summary
Node.js is used as runtime and SDK for Apache Cordova applications within IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition. Information about security vulnerabilities affecting Node.js has been published in a security bulletin. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.
Vulnerability Details
CVEID:CVE-2024-36138
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by the incomplete fix of CVE-2024-27980 which was the improper handling of batch files in child_process.spawn / child_process.spawnSync. By sending a specially crafted command line argument, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297432 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| RDi | 9.6 |
Remediation/Fixes
The issue can be fixed by loading an interim fix.
| Products(s) | Versions(s) | Remediation/Fix/Instructions |
|---|---|---|
| IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition | 9.6.0.0 - 9.6.0.13 |
IBM strongly recommends addressing the vulnerability now by upgrading to Node.js 18.20.4, please follow Upgrading the Node.js that is used by Cordova or NodeRed to upgrade.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | rational_business_developer | 9.6.0.0 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.0:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.1 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.1:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.2 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.2:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.3 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.3:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.4 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.4:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.5 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.5:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.6 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.6:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.7 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.7:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.8 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.8:*:*:*:*:*:*:* |
| ibm | rational_business_developer | 9.6.0.9 | cpe:2.3:a:ibm:rational_business_developer:9.6.0.9:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low