IBMD841E600D8569B75D99F3956AFB7F96288D0453BD114E6F7D4F1F882CCD81720Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Node.js.(CVE-2020-8201 CVE-2020-8251 CVE-2020-8252 )
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
Summary
IBM API Connect has addressed the following vulnerability.
Vulnerability Details
CVEID:CVE-2020-8201
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by CR-to-Hyphen conversion. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188591 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2020-8251
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by delayed unfinished HTTP/1.1 requests submission. An attacker could exploit this vulnerability to make the server unable to accept new connections and exhaust all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188592 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-8252
**DESCRIPTION:**Node.js is vulnerable to a buffer overflow, caused by improper bounds checking by the libuv’s fs.realpath.native. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188593 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM API Connect | API Connect V10.0.1.0 |
| IBM API Connect | V2018.4.1.0-2018.4.1.13 |
Remediation/Fixes
| Affected Product | Addressed in VRMF | APAR | Remediation/First Fix |
|---|
IBM API Connect
V2018.4.1.0-2018.4.1.13
| 2018.4.1.15|
LI81959
|
Addressed in IBM API Connect V2018.4.1.15.
All components are impacted.
Follow this link and find the packages.
http://www.ibm.com/support/fixcentral/swg/quickorder
IBM API Connect
V10.0.1.0
| 10.0.1.1|
LI81959
|
Addressed in IBM API Connect V10.0.1.1
All components are impacted.
Follow this link and find the packages.
http://www.ibm.com/support/fixcentral/swg/quickorder
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm api connect | eq | 2018.4.1.0 | |
| ibm api connect | eq | 2018.4.1.13 | |
| ibm api connect | eq | 10.0.0.0 | |
| ibm api connect | eq | 10.0.1.0 |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N