Lucene search

IBM7A92E6AD21E50791DB3B5F8A5854845620B9EECB71939A3BF77B4609DF71A7C4

HistorySep 19, 2022 - 2:38 p.m.

Security Bulletin: A security vulnerability in Nodejs marked affects IBM Cloud Pak for Multicloud Management Managed Services

2022-09-1914:38:15

www.ibm.com

nodejs

ibm cloud pak

multicloud management

denial of service

vulnerability

regular expression

fix pack 5

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

60.8%

JSON

Summary

A security vulnerability in Nodejs marked affects IBM Cloud Pak for Multicloud Management Managed Services

Vulnerability Details

CVEID:CVE-2022-21681
**DESCRIPTION:**Node.js marked module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in inline.reflinkSearch. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217320 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Cloud Pak for Multicloud Management Infrastructure Management	All

Remediation/Fixes

Upgrade to IBM Cloud Pak for Multicloud Management 2.3 Fix Pack 5 by following the instructions at <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-5>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_multicloud_managementMatch2.3.

VendorProductVersionCPE
ibmcloud_pak_for_multicloud_management2.3.cpe:2.3:a:ibm:cloud_pak_for_multicloud_management:2.3.:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_multicloud_management	2.3.	cpe:2.3:a:ibm:cloud_pak_for_multicloud_management:2.3.:::::::*

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.002

Percentile

60.8%

JSON

Related for 7A92E6AD21E50791DB3B5F8A5854845620B9EECB71939A3BF77B4609DF71A7C4