Security Bulletin: Multiple vulnerabilities in current releases of IBM® SDK for Node.js™

Summary

This bulletin describes CVE-2015-3197 that was reported on January 26, 2015 by the OpenSSL Project, plus two additional vulnerabilities.

Vulnerability Details

CVEID: CVE-2015-3197 DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files. By performing multiple handshakes using the same private DH exponent, an attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/110235&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)

CVE-ID: CVE-2016-2086 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the improper handling of the Content-Length header. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.100
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/110530&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVE-ID: CVE-2016-2216 DESCRIPTION: Node.js is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input when processing malicious requests. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers containing unicode charactesr and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.100
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/110529&gt; for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

These vulnerabilities affect IBM SDK for Node.js v1.1.0.18 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v1.2.0.8 and earlier releases.
A subset of these vulnerabilities affect IBM SDK for Node.js v4.2.6.0 and earlier releases. See Remediation/Fixes section for details.

Remediation/Fixes

CVE ID

|

Fixed IBM SDK for Node.js releases

—|—

1.1.x

|

1.2.x

|

4.x

CVE-2015-3197

|

1.1.0.19

|

1.2.0.9

|

N/A

CVE-2016-2086

|

1.1.0.19

|

1.2.0.9

|

4.3.0.0

CVE-2016-2216

|

1.1.0.19

|

1.2.0.9

|

4.3.0.0

IBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from here.

IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.

Workarounds and Mitigations

CVE-2015-3197 only applies to IBM SDK for Node.js v1.1.x and 1.2.x if the --enable-ssl2 command line argument is being used. This option is notenabled by default.