Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6720DA76DC4080270DED501486287C7B59D94D2F8D7A2176D0DC69216ABD0ABB
HistorySep 26, 2018 - 6:40 p.m.

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161)

2018-09-2618:40:01
www.ibm.com
11

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

IBM Cloud Private and IBM Cloud Private Cloud Foundry are vulnerable to multiple security vulnerabilities

Vulnerability Details

CVEID: CVE-2018-7167 DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144740&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7164 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading from the network into JavaScript using the net.Socket object directly as a stream. By sending tiny chunks of data in short succession, a remote attacker could exploit this vulnerability to cause the application to exhaust all memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144739&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7162 DESCRIPTION: Node.js is vulnerable to a denial of service. By sending duplicate/unexpected messages during the handshake, a remote attacker could exploit this vulnerability to cause the node server providing an http server supporting TLS server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144738&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1000168 DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141584&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7161 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Cloud Private 2.1.0

IBM Cloud Private Cloud Foundry 2.1.0

Remediation/Fixes

Release Fixing VRM Level Platform Link to Fix
IBM Cloud Private 2.1.0.x 2.1.0.3 Fix Pack 1 + Patch Linux

2.1.0.3 Fix Pack 1

Helm API Patch

Vulnerability Advisor Patch

IBM Cloud Private Cloud Foundry 2.1.0.x | 2.1.0.3 Fix Pack 1 | Linux | 2.1.0.3 Fix Pack 1

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud privateeqany

Related

nessus 24
freebsd 2
nodejsblog 1
openvas 23
suse 2
fedora 4
altlinux 1
ibm 9
photon 8
redhatcve 5
debiancve 5
checkpoint_advisories 2
cbl_mariner 5
alpinelinux 3
amazon 1
prion 5
f5 5
cve 5
veracode 7
ubuntucve 5
osv 7
redhat 3
gentoo 1
debian 1
ubuntu 1
mageia 1
nessus
nessus
Node.js multiple vulnerabilities (July 2018 Security Releases).
2018-11-14 00:00:00
FreeBSD : node.js -- multiple vulnerabilities (45b8e2eb-7056-11e8-8fab-63ca6e0e13a2)
2018-06-15 00:00:00
Fedora 27 : 1:nodejs (2018-79841c871e)
2018-07-02 00:00:00
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-06-12 00:00:00
nghttp2 -- Denial of service due to NULL pointer dereference
2018-04-04 00:00:00
nodejsblog
nodejsblog
June 2018 Security Releases
2018-06-12 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:1918-1)
2021-06-09 00:00:00
Fedora Update for nodejs FEDORA-2018-79841c871e
2018-07-03 00:00:00
Fedora Update for nodejs FEDORA-2018-f59d961d7b
2018-06-19 00:00:00
suse
suse
Security update for nodejs8 (moderate)
2018-07-14 03:11:40
Security update for nodejs6 (moderate)
2018-07-14 03:11:04
fedora
fedora
[SECURITY] Fedora 27 Update: nodejs-8.11.3-1.fc27
2018-07-01 22:24:06
[SECURITY] Fedora 28 Update: nodejs-8.11.3-1.fc28
2018-06-18 16:20:43
[SECURITY] Fedora 28 Update: nghttp2-1.31.1-1.fc28
2018-04-17 00:27:10
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 8.11.3-alt1
2018-06-30 00:00:00
ibm
ibm
Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM)
2022-09-15 19:20:56
Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud
2018-09-11 18:41:01
Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Rational Application Developer for WebSphere Software (CVE-2018-1000168, CVE-2018-7161)
2018-11-12 16:15:02
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0093
2018-09-14 00:00:00
Important Photon OS Security Update - PHSA-2018-0185
2018-09-17 00:00:00
Important Photon OS Security Update - PHSA-2018-0093
2018-09-14 00:00:00
redhatcve
redhatcve
CVE-2018-1000168
2019-10-25 06:31:58
CVE-2018-7162
2019-10-21 08:20:27
CVE-2018-7164
2020-04-01 13:58:28
debiancve
debiancve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7162
2018-06-13 16:29:00
CVE-2018-7164
2018-06-13 16:29:00
checkpoint_advisories
checkpoint_advisories
Node.js Foundation Node.js nghttp2 nghttp2_frame_altsvc_free Null Pointer Dereference (CVE-2018-1000168)
2019-02-14 00:00:00
Node.js Foundation Node.js TLS Denial of Service (CVE-2018-7162)
2019-02-14 00:00:00
cbl_mariner
cbl_mariner
CVE-2018-1000168 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2018-7162 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
CVE-2018-7164 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34
alpinelinux
alpinelinux
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7161
2018-06-13 16:29:00
CVE-2018-7167
2018-06-13 16:29:00
amazon
amazon
Medium: nghttp2
2018-05-24 17:59:00
prion
prion
Input validation
2018-05-08 15:29:00
Design/Logic Flaw
2018-06-13 16:29:00
Design/Logic Flaw
2018-06-13 16:29:00
f5
f5
K49902412 : nghttp vulnerability CVE-2018-1000168
2018-04-12 00:00:00
K15131064 : Node.js vulnerability CVE-2018-7162
2018-06-15 00:00:00
K34369533 : Node.js vulnerability CVE-2018-7161
2018-06-15 00:00:00
cve
cve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7162
2018-06-13 16:29:00
CVE-2018-7164
2018-06-13 16:29:00
veracode
veracode
Denial Of Service (DoS)
2018-11-20 05:23:08
Denial Of Service (DoS)
2018-07-31 05:45:54
Denial Of Service (DoS)
2018-06-14 04:26:39
ubuntucve
ubuntucve
CVE-2018-7162
2018-06-13 00:00:00
CVE-2018-1000168
2018-04-12 00:00:00
CVE-2018-7164
2018-06-13 00:00:00
osv
osv
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-7162
2018-06-13 16:29:01
CVE-2018-7164
2018-06-13 16:29:01
redhat
redhat
(RHSA-2018:2949) Important: rh-nodejs8-nodejs security update
2018-10-18 09:47:33
(RHSA-2019:0367) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 security update
2019-02-18 16:47:10
(RHSA-2019:0366) Important: Red Hat JBoss Core Services Apache HTTP Server 2.4.29 SP1 security update
2019-02-18 16:45:31
gentoo
gentoo
Node.js: Multiple vulnerabilities
2020-03-20 00:00:00
debian
debian
[SECURITY] [DLA 2786-1] nghttp2 security update
2021-10-17 06:02:47
ubuntu
ubuntu
Node.js vulnerabilities
2021-03-15 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerabilities
2019-09-15 16:24:16

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for 6720DA76DC4080270DED501486287C7B59D94D2F8D7A2176D0DC69216ABD0ABB
nessus24freebsd2nodejsblog1openvas23suse2fedora4altlinux1ibm9photon8redhatcve5debiancve5checkpoint_advisories2cbl_mariner5alpinelinux3amazon1prion5f55cve5veracode7ubuntucve5osv7redhat3gentoo1debian1ubuntu1mageia1