IBMBA0ECBE0DF73AF77D0BC9564AEB2B59377917457D1B75D09F5309EFDB91ECED2Security Bulletin: Multiple vulnerabilities in current releases of IBM® SDK for Node.js™ in IBM Bluemix (CVE-2015-3197, CVE-2016-2086, CVE-2016-2216)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
This bulletin describes CVE-2015-3197 that was reported on January 26, 2015 by the OpenSSL Project, plus two additional vulnerabilities.
Vulnerability Details
CVEID: CVE-2015-3197 DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files. By performing multiple handshakes using the same private DH exponent, an attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/110235> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVE-ID: CVE-2016-2086 DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the improper handling of the Content-Length header. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.1
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/110530> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE-ID: CVE-2016-2216 DESCRIPTION: Node.js is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input when processing malicious requests. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers containing unicode charactesr and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/110529> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
These vulnerabilities affect IBM SDK for Node.js v1.1.0.18 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v1.2.0.8 and earlier releases.
A subset of these vulnerabilities affect IBM SDK for Node.js v4.2.6.0 and earlier releases. See Remediation/Fixes section for details.
These vulnerabilities affect all versions up to and including IBM SDK for Node.js v1.1.0.18 and v1.2.0.8 corresponding to open-source version v0.10.41 and v0.12.9 respectively. A subset of these vulnerabilities affect IBM SDK for Node.js v4.2.6.0 and earlier releases.
It also affects the same open source versions of the Node.js runtime in IBM Bluemix. These issues have been resolved in IBM SDK for Node.js v1.1.0.19, v1.2.0.9 and v4.3.
To check which version of the Node.js runtime runtime your Bluemix application is using, navigate to the “Files” menu item for your application through the Bluemix UI. In the “logs” directory, check the “staging_task.log”.
You can also find this file through the command-line Cloud Foundry client by running the following command:
cf files <appname> logs/staging_task.log
Look for the following lines:
-----> IBM SDK for Node.js Buildpack _______
If the Node.js engine version is not v0.10.42, v0.12.10 or v4.3, your application may be vulnerable.
Remediation/Fixes
The vulnerabilities list above have been resolved in IBM SDK for Node.js v1.1.0.19, v1.2.0.9 and v4.3.
To upgrade to the latest version of the Node.js runtime, please specify the latest Node.js runtime in your package.json file for your application:
“engines”: {
_ “node”: “>=0.10.42”_
},
or _
“engines”: {
_ “node”: “>=0.12.10”
},
or _
“engines”: {
_ “node”: “>=4.3”
},
You will then need to restage (or re-push) your application.
Workarounds and Mitigations
CVE-2015-3197 only applies to IBM SDK for Node.js v1.1.x and 1.2.x if the --enable-ssl2 command line argument is being used. This option is notenabled by default.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm sdk for node.js for cloud | eq | any |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P