Security Bulletin: Node.js Package Manager (npm) Bearer Token Vulnerability affects IBM Rational Application Developer for WebSphere Software (CVE-2016-3956)

Summary

A vulnerability in the Node Package Manager’s use of HTTP bearer tokens affects IBM SDK for Node.js.

Vulnerability Details

CVEID:CVE-2016-3956

DESCRIPTION: npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the command-line interface. By setting up an HTTP server and collecting token information, an attacker could exploit this vulnerability to impersonate the user and do anything the owner of the information could, including publishing new versions of packages.

CVSS Base Score: 9.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112153&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

IBM Rational Application Developer for WebSphere Software v9.1 and v9.5

Remediation/Fixes

Rational Application Developer

| 9.1.x and 9.5.x| PI60886|

• Apply IBM SDK for Node.js Version 1.1 release updated equivalent to the Joyent Node.js API version 0.10.44 to the Cordova platform in the product.

Installation instructions for applying the update to the Cordova platform in the product can be found here:

Upgrading the IBM SDK for Node.js used by Cordova
—|—|—|—