Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Rational Application Developer for WebSphere Software (CVE-2016-2842)

Summary

OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL project. OpenSSL is used by the Cordova tools in IBM Rational Application Developer for WebSphere Software. IBM Rational Application Developer for WebSphere Software has addressed the applicable CVEs.

Vulnerability Details

CVEID: CVE-2016-2842

**
DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the failure to verify that a certain memory allocation succeeds by the doapr_outch function. A remote attacker could exploit this vulnerability using a specially crafted string to cause an out-of-bounds write or consume an overly large amount of resources.

CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111304 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Rational Application Developer for WebSphere Software v9.1 and v9.5

Remediation/Fixes

Update the IBM SDK for Node.js using by the Cordova platform in the product to address this vulnerability:

• Apply IBM SDK for Node.js Version 1.1 release updated equivalent to the Joyent Node.js API version 0.10.43 to the Cordova platform in the product.

Installation instructions for applying the update to the Cordova platform in the product can be found here:

Upgrading the IBM SDK for Node.js used by Cordova