Security Bulletin: A remote execution vulnerability in Node.js affects IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition

2024-06-1719:37:10

www.ibm.com

node.js

ibm rational developer

rpg

cobol

modernization tools

java edition

upgrade

version 9.6.0.13

remote execution

vulnerability

8 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

Summary

Node.js is used as runtime and SDK for Apache Cordova applications within IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition. A remote execution of arbitrary commands vulnerability affecting Node.js has been published in this security bulletin. This bulletin identifies the steps to take to address the vulnerability as described in the remediation/fixes section.

Vulnerability Details

CVEID:CVE-2024-27980
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by the improper handling of batch files in child_process.spawn / child_process.spawnSync. By sending a specially crafted command line argument using args parameter, an attacker could exploit this vulnerability to inject and execute arbitrary commands on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287430 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
RDi	9.6

Remediation/Fixes

The issue can be fixed by loading a new version of Node.js.

Products(s)	Versions(s)	Remediation/Fix/Instructions
IBM Rational Developer for i RPG and COBOL + Modernization Tools, Java Edition	9.6.0.0 - 9.6.0.13

IBM strongly recommends addressing the vulnerability now by upgrading to the latest Node.js 18.x version, please follow Upgrading the Node.js that is used by Cordova or NodeRed to upgrade.

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmrational_application_developer_for_websphereMatch9.6.0.0

ibmrational_application_developer_for_websphereMatch9.6.0.1

ibmrational_application_developer_for_websphereMatch9.6.0.2

ibmrational_application_developer_for_websphereMatch9.6.0.3

ibmrational_application_developer_for_websphereMatch9.6.0.4

ibmrational_application_developer_for_websphereMatch9.6.0.5

ibmrational_application_developer_for_websphereMatch9.6.0.6

ibmrational_application_developer_for_websphereMatch9.6.0.7

ibmrational_application_developer_for_websphereMatch9.6.0.8

ibmrational_application_developer_for_websphereMatch9.6.0.9

ibmrational_application_developer_for_websphereMatch9.6.0.10

ibmrational_application_developer_for_websphereMatch9.6.0.11

ibmrational_application_developer_for_websphereMatch9.6.0.12

ibmrational_application_developer_for_websphereMatch9.6.0.13

CPENameOperatorVersion
rational developer for ieq9.6.0.0
rational developer for ieq9.6.0.1
rational developer for ieq9.6.0.2
rational developer for ieq9.6.0.3
rational developer for ieq9.6.0.4
rational developer for ieq9.6.0.5
rational developer for ieq9.6.0.6
rational developer for ieq9.6.0.7
rational developer for ieq9.6.0.8
rational developer for ieq9.6.0.9

Name	Operator	Version
rational developer for i	eq	9.6.0.0
rational developer for i	eq	9.6.0.1
rational developer for i	eq	9.6.0.2
rational developer for i	eq	9.6.0.3
rational developer for i	eq	9.6.0.4
rational developer for i	eq	9.6.0.5
rational developer for i	eq	9.6.0.6
rational developer for i	eq	9.6.0.7
rational developer for i	eq	9.6.0.8
rational developer for i	eq	9.6.0.9