IBM186AA99A0314CD5D894B3263928603E0F2447433FC0B4DB8AF0A018EC984064BSecurity Bulletin: Multiple vulnerabilities in Node.js affects IBM Rational Application Developer for WebSphere Software included in Rational Developer for i
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Summary
Portions of IBM Rational Application Developer for WebSphere Software are shipped as a component of Rational Developer for i (RPG and COBOL + Modernization Tools, Java and EGL editions).
Multiple Node.js vulnerabilities have been discovered that affect the Cordova platform packaged with Rational Application Developer. IBM Rational Application Developer for WebSphere Software has addressed the applicable CVEs (CVE-2018-1000168, CVE-2018-7161).
Vulnerability Details
CVEID: CVE-2018-1000168 DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141584> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-7161 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
Affected Product and Version(s)
| Product and Version shipped as a component
—|—
IBM Rational Developer for i v9.6, v9.6.0.1, v9.6.0.2, v9.6.0.3, v9.6.0.4 RPG and COBOL + Modernization Tools, Java Edition | Rational Application Developer 9.6 - 9.6.1.1
IBM Rational Developer for i v9.6, v9.6.0.1, v9.6.0.2, v9.6.0.3, v9.6.0.4 RPG and COBOL + Modernization Tools, EGL Edition | Rational Application Developer 9.6 - 9.6.1.1
Remediation/Fixes
Review the Remediation/Fixes section of Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software (CVE-2018-1000168, CVE-2018-7161) for instructions on obtaining the fix for this issue.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C