Security Bulletin: IBM Event Streams is affected by multiple vulnerabilities in Node.js

Summary

Vulnerabilities in node.js before 18.16.1 affect the Node.js component that is used by IBM Event Streams (CVE-2023-30581, CVE-2023-30589, CVE-2023-30585, CVE-2023-30590, CVE-2023-30588). These vulnerabilities have been addressed.

Vulnerability Details

CVEID:CVE-2023-30589
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the failure to strictly use the CRLF sequence to delimit HTTP requests by the llhttp parser in the http module. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30581
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in process.mainModule.proto.require(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass experimental policy mechanism.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30585
**DESCRIPTION:**Node.js could allow a remote attacker to gain elevated privileges on the system, caused by an error in the installation process during the repair operation, where the “msiexec.exe” process attempts to read the %USERPROFILE% environment variable from the current user’s registry. An attacker could exploit this vulnerability to create folders in unintended and potentially malicious locations.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258621 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30588
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By accessing public key info of provided certificates from user code, an attacker could exploit this vulnerability to force interruptions of application processing and cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-30590
**DESCRIPTION:**Node.js could provide weaker than expected security, caused by the failure to generate keys after setting a private key by the generateKeys() API function. By sending a specially crafted request, an attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading

Upgrade to IBM Event Streams 11.2.2 by following the <https://ibm.github.io/event-automation/es/installing/upgrading/&gt; documentation.

Workarounds and Mitigations

None