Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM6AFE0225FF449F7A6AD90F9665790E82664E148663D54920693EFD869839FCE0
HistoryNov 20, 2018 - 12:45 p.m.

Security Bulletin: Multiple vulnerabilities in Node.js affect IBM Integration Bus & IBM App Connect Enterprise V11

2018-11-2012:45:01
www.ibm.com
28

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

IBM Integration Bus & IBM App connect Enterprise V11 ship with Node.js version 8 for which multiple vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID:CVE-2018-0737
Description: OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information.
CVSS Base Score: 3.3
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/141679 for more information

CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVE-ID: CVE-2018-7166
Description: Node.js could allow a remote attacker to obtain sensitive information, caused by the return of uninitialized memory by the Buffer.alloc() function. By sending a specially crafted argument, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/148425for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVE-ID: CVE-2018-12115
Description: Node.js is vulnerable to a denial of service, caused by an out-of-bounds write in Buffer. An attacker could exploit this vulnerability to write to memory outside of a Buffer’s memory space, corrupt Buffer objects or cause the process to crash.
CVSS Base Score: 8.2
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/148426 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H)

CVE-ID: CVE-2018-0732
Description: OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang.
CVSS Base Score: 3.7
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/144658 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7167 DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144740&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1000168 DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141584&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7161 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7159 DESCRIPTION: Node.js http module could allow a remote attacker to bypass security restrictions, caused by the acceptance of incorrect Content-Length values, containing spaces within the value, in HTTP headers. An attacker could exploit this vulnerability to confuse the script and launch further attacks on the system.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143448&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-7160 DESCRIPTION: Node.js inspector module could allow a remote attacker to bypass security restrictions, caused by the failure to properly validate the Host header. An attacker could exploit this vulnerability to bypass same-origin policy and conduct a DNS rebinding attack.
CVSS Base Score: 5.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143447&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.14

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.2

Remediation/Fixes

Product VRMF APAR Remediation/Fix
IBM Integration Bus V10.0.0.14 IT25537 The fix is available as Interim Fixes here - IBM Fix Central
IBM App Connect Enterprise V11 V11.0.0.2 IT25537 This fix is available as Interim Fixes here -IBM Fix Central

CPENameOperatorVersion
ibm integration buseqany

Related

nessus 57
redhat 3
ibm 25
nodejsblog 3
openvas 41
suse 6
altlinux 3
freebsd 4
photon 3
fedora 10
oraclelinux 5
mageia 1
symantec 1
debian 2
osv 7
slackware 1
f5 2
kaspersky 1
cloudfoundry 1
ubuntu 3
paloalto 1
redhatcve 2
debiancve 2
alpinelinux 2
prion 3
veracode 2
cloudlinux 1
ubuntucve 2
cve 2
checkpoint_advisories 1
amazon 1
cbl_mariner 1
nessus
nessus
RHEL 7 : rh-nodejs8-nodejs (RHSA-2018:2949)
2024-04-27 00:00:00
Node.js Multiple Vulnerabilities (August 2018 Security Releases)
2018-11-14 00:00:00
RHEL 7 : Red Hat OpenShift Application Runtimes Node.js 10.9.0 (RHSA-2018:2553)
2018-12-04 00:00:00
redhat
redhat
(RHSA-2018:2949) Important: rh-nodejs8-nodejs security update
2018-10-18 09:47:33
(RHSA-2018:2553) Moderate: Red Hat OpenShift Application Runtimes Node.js 10.9.0 security update
2018-08-22 21:04:25
(RHSA-2018:2552) Moderate: Red Hat OpenShift Application Runtimes Node.js 8.11.4 security update
2018-08-22 21:04:23
ibm
ibm
Security Bulletin: IBM Planning Analytics Local is affected by multiple Node.js vulnerabilities
2018-11-13 15:55:01
Security Bulletin: Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud
2018-09-11 18:41:01
Security Bulletin: Node.js as used in IBM QRadar Packet Capture is susceptible to multiple vulnerabilities
2018-11-07 15:25:01
nodejsblog
nodejsblog
August 2018 Security Releases
2018-08-11 00:00:00
June 2018 Security Releases
2018-06-12 00:00:00
March 2018 Security Releases
2018-03-21 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2018:1918-1)
2021-06-09 00:00:00
openSUSE: Security Advisory for nodejs8 (openSUSE-SU-2018:1963-1)
2018-10-26 00:00:00
openSUSE: Security Advisory for nodejs6 (openSUSE-SU-2018:2816-1)
2018-09-25 00:00:00
suse
suse
Security update for nodejs8 (moderate)
2018-07-14 03:11:40
Security update for nodejs4 (moderate)
2018-09-08 12:14:51
Security update for nodejs6 (moderate)
2018-09-24 12:15:49
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 8.11.3-alt1
2018-06-30 00:00:00
Security fix for the ALT Linux 10 package node version 8.11.4-alt1
2018-08-29 00:00:00
Security fix for the ALT Linux 9 package openssl10 version 1.0.2p-alt1
2018-08-16 00:00:00
freebsd
freebsd
node.js -- multiple vulnerabilities
2018-08-16 00:00:00
node.js -- multiple vulnerabilities
2018-06-12 00:00:00
node.js -- multiple vulnerabilities
2018-03-21 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0093
2018-09-14 00:00:00
Important Photon OS Security Update - PHSA-2018-0185
2018-09-17 00:00:00
Important Photon OS Security Update - PHSA-2018-0093
2018-09-14 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: openssl-1.1.0i-1.fc28
2018-09-22 20:52:36
[SECURITY] Fedora 27 Update: openssl-1.1.0i-1.fc27
2018-10-02 15:03:41
[SECURITY] Fedora 26 Update: nodejs-6.14.0-1.fc26
2018-04-06 14:38:24
oraclelinux
oraclelinux
openssl security update
2018-10-15 00:00:00
openssl security update
2018-10-12 00:00:00
openssl security update
2018-10-12 00:00:00
mageia
mageia
Updated openssl packages fix security vulnerabilities
2018-09-02 22:07:30
symantec
symantec
OpenSSL Vulnerabilities 16-Apr-2018 and 12-Jun-2018
2018-10-10 08:01:01
debian
debian
[SECURITY] [DLA 1449-1] openssl security update
2018-07-28 03:56:45
[SECURITY] [DSA 4355-1] openssl1.0 security update
2018-12-19 22:30:16
osv
osv
openssl - security update
2018-07-28 00:00:00
CVE-2018-12115
2018-08-21 12:29:00
nodejs vulnerabilities
2021-03-15 21:18:37
slackware
slackware
[slackware-security] openssl
2018-08-15 00:18:35
f5
f5
K000137093 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
2023-10-02 00:00:00
K49902412 : nghttp vulnerability CVE-2018-1000168
2018-04-12 00:00:00
kaspersky
kaspersky
KLA11231 Multiple vulnerabilities in Node.js
2018-03-27 00:00:00
cloudfoundry
cloudfoundry
USN-3692-1: OpenSSL vulnerabilities | Cloud Foundry
2018-07-10 00:00:00
ubuntu
ubuntu
OpenSSL vulnerabilities
2018-06-26 00:00:00
OpenSSL vulnerabilities
2018-06-26 00:00:00
Node.js vulnerabilities
2021-03-15 00:00:00
paloalto
paloalto
OpenSSL Vulnerabilities in PAN-OS
2018-10-11 00:00:00
redhatcve
redhatcve
CVE-2018-1000168
2019-10-25 06:31:58
CVE-2018-12115
2019-10-22 05:58:44
debiancve
debiancve
CVE-2018-1000168
2018-05-08 15:29:00
CVE-2018-12115
2018-08-21 12:29:00
alpinelinux
alpinelinux
CVE-2018-12115
2018-08-21 12:29:00
CVE-2018-1000168
2018-05-08 15:29:00
prion
prion
Design/Logic Flaw
2018-08-21 12:29:00
Design/Logic Flaw
2018-08-21 12:29:00
Input validation
2018-05-08 15:29:00
veracode
veracode
Out-of-Bounds (OOB) Write
2019-01-15 09:26:04
Out-of-Bounds (OOB) Write
2018-08-17 07:37:44
cloudlinux
cloudlinux
Fix of CVE: CVE-2018-0739, CVE-2018-0737, CVE-2021-3712, CVE-2018-0732
2021-09-21 22:11:57
ubuntucve
ubuntucve
CVE-2018-7166
2018-08-21 00:00:00
CVE-2018-1000168
2018-04-12 00:00:00
cve
cve
CVE-2018-7166
2018-08-21 12:29:00
CVE-2018-1000168
2018-05-08 15:29:00
checkpoint_advisories
checkpoint_advisories
Node.js Foundation Node.js nghttp2 nghttp2_frame_altsvc_free Null Pointer Dereference (CVE-2018-1000168)
2019-02-14 00:00:00
amazon
amazon
Medium: nghttp2
2018-05-24 17:59:00
cbl_mariner
cbl_mariner
CVE-2018-1000168 affecting package nodejs 8.11.4-7
2021-08-11 06:39:34

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for 6AFE0225FF449F7A6AD90F9665790E82664E148663D54920693EFD869839FCE0
nessus57redhat3ibm25nodejsblog3openvas41suse6altlinux3freebsd4photon3fedora10oraclelinux5mageia1symantec1debian2osv7slackware1f52kaspersky1cloudfoundry1ubuntu3paloalto1redhatcve2debiancve2alpinelinux2prion3veracode2cloudlinux1ubuntucve2cve2checkpoint_advisories1amazon1cbl_mariner1