Security Bulletin: Vulnerability in Node.js affects IBM Event Streams (CVE-2021-22959)

Summary

There is a vulnerability in the Node.js open source runtime. The runtime is used by the IBM Event Streams. The CVE has been addressed.

Vulnerability Details

CVEID:CVE-2021-22959
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. A remote attacker could send a specially-crafted request with a space (SP) right after the header name before the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211168 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Event Streams (Helm-based releases)

• Download the 2019.4.5 release from IBM Fix Central.
• Upgrade to IBM Event Streams 2019.4.5 by following the upgrading and migrating documentation.

IBM Event Streams (Continuous Delivery)

• Upgrade to IBM Event Streams 10.5.0 by following the upgrading and migrating documentation.

IBM Event Streams (Extended Update Support)

• Upgrade to IBM Event Streams 10.2.1 by following the upgrading and migrating documentation.

Workarounds and Mitigations

None