Security Bulletin: Vulnerability in Node.js affects IBM DataPower Gateways (CVE-2017-11499)

Summary

Potential Denial of Service in Node.js. IBM DataPower Gateways has addressed the applicable CVE.

Vulnerability Details

CVEID: CVE-2017-11499**
DESCRIPTION:** Node.js is vulnerable to a denial of service, caused by a flaw related to constant HashTable seeds. A remote attacker could exploit this vulnerability to flood the hash and cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/129465 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM DataPower Gateways appliances, versions 7.0.0.0-7.0.0.19, 7.1.0.0-7.1.0.18, 7.2.0.0-7.2.0.15

Remediation/Fixes

7.0.0.20, 7.1.0.19, 7.2.0.16

Fix is available in versions 7.0.0.20, 7.1.0.19, 7.2.0.16. Refer to APAR IT22120 for URLs to download the fix.

You should verify applying this fix does not cause any compatibility issues.

For DataPower customers using versions 6.x and earlier versions, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

Workarounds and Mitigations

None