Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private - Node.js

Summary

IBM Cloud Private, Cloud Foundry for IBM Cloud Private and IBM Cloud Automation Manager are vulnerable to multiple security vulnerabilities in Node.js

Vulnerability Details

CVEID: CVE-2018-12122 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153456&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-12121 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending specially-crafted HTTP requests with maximum sized headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153455&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-12120 DESCRIPTION: Node.js could allow a remote attacker to execute arbitrary JavaScript on the system, caused by a flaw when debugger mode is enabled with node --debug or node debug. By sending specially-crafted request to port 5858, an attacker could exploit this vulnerability to execute arbitrary JavaScript on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153454&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-5407 DESCRIPTION: Multiple SMT/Hyper-Threading architectures and processors could allow a local attacker to obtain sensitive information, caused by execution engine sharing on Simultaneous Multithreading (SMT) architecture. By using the PortSmash new side-channel attack, an attacker could run a malicious process next to legitimate processes using the architectures parallel thread running capabilities to leak encrypted data from the CPU’s internal processes. Note: This vulnerability is known as PortSmash.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152484&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-0735 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the ECDSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152086&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-0734 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing side channel attack in the DSA signature algorithm. An attacker could exploit this vulnerability using variations in the signing algorithm to recover the private key.
CVSS Base Score: 3.7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152085&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-12123 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153457&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-12116 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153452&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

• IBM Cloud Private 2.1.x, 3.1.0, 3.1.1
• Cloud Foundry for IBM Cloud Private 3.1.1
• IBM Cloud Automation Manager 3.1.0

Remediation/Fixes

Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages

• IBM Cloud Private 3.1.2
• IBM Cloud Private 3.1.1

For IBM Cloud Private 3.1.1

• Apply these patches:
  • IBM Cloud Private 3.1.1 Patch - Catalog ui
  • IBM Cloud Private 3.1.1 Patch - Logging
  • IBM Cloud Private 3.1.1 Patch - Helm-api
  • IBM Cloud Private 3.1.1 Patch - Helm-repo
  • IBM Cloud Private 3.1.1 Patch - Helm Management-repo
  • IBM Cloud Private 3.1.1 Patch - Metering
  • IBM Cloud Private 3.1.1 Patch - Platform-ui
  • IBM Cloud Private 3.1.1 Patch - Vulnerability Advisor
  • IBM Cloud Private 3.1.1 Patch - Auth-pap
  • IBM Cloud Private 3.1.1 Patch - Auth-idp

For IBM Cloud Private, 2.1.x, 3.1.0:

• Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.1.2.
• If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance

For Cloud Foundry for IBM Cloud Private 3.1.1:

• Upgrade to 3.1.1 Fix Pack 1

For IBM Cloud Automation Manager 3.1.0:

• Upgrade to version 3.1.2 which can be obtained from IBM Passport Advantage , or contact IBM support.

Workarounds and Mitigations

None