Security Bulletin: Vulnerability in Node.js terser affect Cloud Pak System[CVE-2022-25858]

Summary

Vulnerability found in Node.js terser module affect Cloud Pak System. IBM Cloud Pak System has addressed this vulnerability.

Vulnerability Details

CVEID:CVE-2022-25858
**DESCRIPTION:**Node.js terser module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231377 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Remediation/Fixes

For unsupported version/release/platform IBM recommends upgrading to a fixed, supported /release/platform of the product.

The recommended solution is to apply the fix reported below as soon as practical.

For IBM Cloud Pak System v2.3.1.1, v2.3.2.0
upgrade to Cloud Pak System v2.3.3.7 , then apply Cloud Pak System v2.3.3.7 Interim Fix 1

Information on upgrading to Cloud Pak System v.2.3.3.7 at <https://www.ibm.com/support/pages/node/6982511&gt;

For Cloud Pak System V2.3.3.7, apply Cloud Pak System V2.3.3.7 Interim Fix 1.

Information on upgrading to Cloud Pak System v.2.3.3.7 Interim Fix at <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None