Lucene search

IBM1B6A0A88205D737925BF33B2E66917090C254BD3D5E955FE74F10FC31B331AFB

HistoryJul 21, 2022 - 1:27 p.m.

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Cloud App Management

2022-07-2113:27:03

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.5%

JSON

Summary

There are vulnerabilities in Node.js used by IBM® Cloud App Management. IBM® Cloud App Management has addressed the applicable CVEs in a later version.

Vulnerability Details

CVEID:CVE-2019-15604
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by improper certificate validation. By sending a specially-crafted X.509 certificate, a remote attacker could exploit this vulnerability to cause the process to abort.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175912 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-15605
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by a flaw when handling unusual Transfer-Encoding HTTP header. By sending a specially-crafted request, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175913 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2019-15606
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by an issue when HTTP header values do not have trailing OWS trimmed. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass authorization based on header value comparisons.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175914 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Cloud App Management V2018	2019.3.0
IBM Cloud App Management V2018	2019.4.0

Remediation/Fixes

BM Cloud App Management was updated to use a later version of Node.js. Install or upgrade to IBM Cloud App Management 2020.1.0 or later to address these security vulnerabilities. Later versions of IBM Cloud App Management are available on IBM Passport Advantage.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud app managementeq2019.3.0
ibm cloud app managementeq2019.4.0

CPE	Name	Operator	Version
	ibm cloud app management	eq	2019.3.0
	ibm cloud app management	eq	2019.4.0

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.011 Low

EPSS

Percentile

84.5%

JSON

Related for 1B6A0A88205D737925BF33B2E66917090C254BD3D5E955FE74F10FC31B331AFB