Security Bulletin: A vulnerability in Node.js affects IBM Cloud App Management V2018

Summary

There is a vulnerability in Node.js used by IBM® Cloud App Management V2018. Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode and sending headers very slowly to force the connection and associated resources to stay alive for a long period of time, a remote attacker could exploit this vulnerability to consume all available resources. IBM® Cloud App Management has addressed the applicable CVE in a later version.

Vulnerability Details

CVEID: CVE-2019-5737 DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode and sending headers very slowly to force the connection and associated resources to stay alive for a long period of time, a remote attacker could exploit this vulnerability to consume all available resources.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/158093&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Cloud App Management V2018.2.0

IBM Cloud App Management V2018.4.0

IBM Cloud App Management V2018.4.1

Remediation/Fixes

IBM Cloud App Management was updated to use a later version of Node.js. Install or upgrade to IBM Cloud App Management V2019.2.1 to address these security vulnerabilities. IBM Cloud App Management V2019.2.1 is available on IBM Passport Advantage .

Workarounds and Mitigations

None