Update the version of Node used by Secure Gateway Client component to address the listed CVEs. This issue affects only users of the Secure Gateway Client.
CVEID:CVE-2020-1971
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a NULL pointer dereference. If the GENERAL_NAME_cmp function contain an EDIPARTYNAME, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192748 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-8265
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a use-after-free in TLSWrap within the TLS implementation. By writing to a TLS enabled socket, an attacker could exploit this vulnerability to corrupt memory and cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194101 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-8287
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/194100 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM DataPower Gateway V10 CD | V10.0.2.0 |
IBM DataPower Gateway 10.0.1 | 10.0.0.0-10.0.1.3 |
IBM DataPower Gateway | 2018.4.1.0-2018.4.1.16 |
Product | Fixed in version | APAR | Download |
---|---|---|---|
IBM DataPower Gateway V10 CD | 10.0.3.0 | IT36417 | |
https://www.ibm.com/support/pages/node/6435715 | |||
IBM DataPower Gateway 10.0.1 | 10.0.1.4 | IT36417 | https://www.ibm.com/support/pages/node/6205303 |
IBM DataPower Gateway 2018.4.1 | 2018.4.1.17 | IT36417 | <https://www.ibm.com/support/pages/node/316533> |
For customers on older DataPower Gateway versions, IBM recommends upgrading to a fixed, supported version of the product |
None