Security Bulletin: Potential vulnerability with Node.js

Summary

A potential vulnerability has been identified related to Node.js. Refer to details for additional information.

Vulnerability Details

CVEID:CVE-2021-23840
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-22884
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an error when the allowlist includes "localhost6". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the "localhost6" domain and cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H)

CVEID:CVE-2021-22883
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Upgrade to the latest (4.0.0) release of WA for CP4D which maintains backward compatibility with the versions listed above.

Workarounds and Mitigations

None