K63025104 : NodeJS vulnerability CVE-2018-7160

Security Advisory Description

The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the computer running the Node.js process. A malicious website could use a DNS rebinding attack to trick the web browser to bypass same-origin-policy checks and to allow HTTP connections to localhost or to hosts on the local network. If a Node.js process with the debug port active is running on localhost or on a host on the local network, the malicious website could connect to it as a debugger, and get full code execution access. (CVE-2018-7160)

Impact

An attacker using a malicious website may be able to remotely perform arbitrary code execution.

BIG-IP

This vulnerability is exposed when you license and provision iRulesLX and invoke Node.js using an iRule, or when you install iAppsLX and use the BIG-IP Configuration utility (GUI).

F5 SSL Orchestrator

This vulnerability is exposed when using the Configuration utility (GUI) for F5 SSL Orchestrator.