Lucene search

K
ibmIBM7FBB1FD9221FA054FD9A7DC060F7CF442AF0324D42297CC3C7C7D17622E3116F
HistoryApr 11, 2019 - 9:25 p.m.

Security Bulletin: Multiple vulnerabilities in Node.js and OpenSSL affect IBM Watson Assistant on IBM Cloud Private

2019-04-1121:25:01
www.ibm.com
21

EPSS

0.013

Percentile

86.3%

Summary

Multiple vulnerabilities in Node.js™ and OpenSSL (as used by Node.js) that affect IBM® Watson™ Assistant on IBM Cloud Private were disclosed by the Node.js foundation and OpenSSL project.

Vulnerability Details

CVEID: CVE-2018-12122 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153456&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-12121 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by improper validation of HTTP headers. By sending specially-crafted HTTP requests with maximum sized headers, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153455&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-12116 DESCRIPTION: Node.js is vulnerable to HTTP request splitting attacks, caused by improper input validation by the path option of an HTTP request. A remote attacker could exploit this vulnerability to inject arbitrary HTTP request and cause the browser to send 2 HTTP requests, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153452&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

These vulnerabilities affect IBM Watson Assistant V1.0.0 through V1.0.1.

Remediation/Fixes

Affected product Affected versions Fix
IBM Watson Assistant V1.0.0-V1.0.1

Upgrade to IBM Watson Assistant V1.1.0. To download the software, go to Passport Advantage , search for “watson assistant,” and select IBM Watson Assistant for IBM Cloud Private V1.1.0 eAssembly, part number CJ4SVEN.

For information about this version, see the release notes . For information about installation, see the installation procedure

Workarounds and Mitigations

None