There are multiple vulnerabilities in Node.js used by IBM Spectrum LSF Suite, IBM Spectrum LSF Suite for HPA and Spectrum LSF Explorer.
CVE-ID: CVE-2019-9511
Description: Multiple vendors are vulnerable to a denial of service, caused by a Data Dribble attack. By sending a HTTP/2 request by the HTTP/2 protocol stack (HTTP.sys) for an overly large amount of data from a specified resource over multiple streams, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/164638> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-9512 Description: Multiple vendors are vulnerable to a denial of service, caused by a Ping Flood attack. By sending continual pings to an HTTP/2 peer, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/164903> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-9513 Description: Multiple vendors are vulnerable to a denial of service, caused by a Resource Loop attack. By creating multiple request streams and continually shuffling the priority of the streams, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/164639> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-9514 Description: Multiple vendors are vulnerable to a denial of service, caused by a Reset Flood attack. By opening a number of streams and sending an invalid request over each stream, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/164640> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-9515 Description: Multiple vendors are vulnerable to a denial of service, caused by a Settings Flood attack. By sending a stream of SETTINGS frames to the peer, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/165181> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-9516 **Description: *Multiple vendors are vulnerable to a denial of service, caused by a 0-Length Headers Leak attack. By sending a stream of headers with a 0-length header name and 0-length header value, a remote attacker could consume excessive memory resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/165182> for more information
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID: CVE-2019-9517 **Description: *Multiple vendors are vulnerable to a denial of service, caused by an Internal Data Buffering attack. By opening the HTTP/2 window so the peer can send without constraint and sending a stream of requests for a large response object, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/165183> for more information
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVE-ID:CVE-2019-9518
Description: Multiple vendors are vulnerable to a denial of service, caused by a Empty Frame Flooding attack. By sending a stream of frames with an empty payload and without the end-of-stream flag, a remote attacker could consume excessive CPU resources.
CVSS Base Score: 7.5
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/164904> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Spectrum LSF Suite 10.2, Spectrum LSF Suite for HPA 10.2, Spectrum LSF Explorer 10.2
Product | VRMF | APAR | Remediation/First Fix |
---|
Spectrum LSF Suite
Spectrum LSF Suite for HPA
Spectrum LSF Explorer
| 10.2 | None | 1. Download Node.js v8.16.1 from: https://nodejs.org/en/blog/release/v8.16.1/. (The following steps use x86_64 as an example.)
2. Copy the package into the Explorer Server host.
3. On the Explorer Server host, stop webgui and explorer services.
4. On the Explorer Server host, extract new files and replace old files in the following directory:
$GUI_TOP/3.0/node
5. On the Explorer Server host, start webgui and explorer services on demand.
None