Security Bulletin: Vulnerability in nodejs decode-uri-component affect Cloud Pak System[CVE-2022-38900]

Summary

Vulnerability in nodejs decode-uri-component affect Cloud Pak System[CVE-2022-38900]. Cloud Pak System has addressed this vulnerability.

Vulnerability Details

CVEID:CVE-2022-38900
**DESCRIPTION:**decode-uri-component is vulnerable to a denial of service, caused by improper input validation by the decodeComponents function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

For unsupported platform/version/release the recommendation is to upgrade to supported platform/version/release of the product.
Vulnerability identified in decode-uri-component in Jest module Cloud Pak System update jest module to version that removed decode-uri-component.

For Cloud Pak System V2.3.0.1, V2.3.1.1, V2.3.2.0 for power,
Upgrade to Cloud Pak System v2.3.3.7 and apply V2.3.3.7 Interim Fix 01 at IBM Fix Central.
information on upgrading here <https://www.ibm.com/support/pages/node/6982511&gt;

For Cloud Pak System V2.3.3.7 for power,
Apply Cloud Pak System V2.3.3.7 Interim Fix 01 at IBM Fix Central.

information on upgrading available at <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

For Cloud Pak System on Intel

Upgrade to Cloud Pak System v2.3.4.0 at Fix Central

Information on upgrading here <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None