Security Bulletin: Vulnerabilities in Node.js affecting IBM Event Streams (CVE-2021-22960 and CVE-2021-22959)

Summary

Vulnerabilities in Node.js affecting IBM Event Streams

Vulnerability Details

CVEID:CVE-2021-22960
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by an error when parsing the body of chunked requests. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211171 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2021-22959
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by an error related to a space in headers. A remote attacker could send a specially-crafted request with a space (SP) right after the header name before the colon to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211168 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM Event Streams (Helm-based releases)

• Download the 2019.4.5 release from IBM Fix Central.
• Upgrade to IBM Event Streams 2019.4.5 by following the upgrading and migrating documentation.

IBM Event Streams (Continuous Delivery)

• Upgrade to IBM Event Streams 10.5.0 by following the upgrading and migrating documentation.

IBM Event Streams (Extended Update Support)

• Upgrade to IBM Event Streams 10.2.1 by following the upgrading and migrating documentation.

Workarounds and Mitigations

None