Security Bulletin: Node.js as used in IBM QRadar Packet Capture is susceptible to multiple vulnerabilities

Summary

Node.js as used in IBM QRadar Packet Capture has been updated to resolve multiple vulnerabilities

Vulnerability Details

CVEID: CVE-2018-7158
**Description:**Node.js path module is vulnerable to a denial of service. By sending a specially crafted file path, an attacker could exploit this vulnerability to cause a regular expression denial of service.
**CVSS Base Score:**5.90
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143449&gt; for the current score
**CVSS Environmental Score:***Undefined
**CVSS Vector:**CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID: CVE-2018-7159
**Description:**Node.js http module could allow a remote attacker to bypass security restrictions, caused by the acceptance of incorrect Content-Length values, containing spaces within the value, in HTTP headers. An attacker could exploit this vulnerability to confuse the script and launch further attacks on the system.
**CVSS Base Score:**5.30
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143448&gt; for the current score
**CVSS Environmental Score:***Undefined
**CVSS Vector:**CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVEID: CVE-2018-7160
**Description:**Node.js inspector module could allow a remote attacker to bypass security restrictions, caused by the failure to properly validate the Host header. An attacker could exploit this vulnerability to bypass same-origin policy and conduct a DNS rebinding attack.
**CVSS Base Score:**5.80
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143447&gt; for the current score
**CVSS Environmental Score:***Undefined
**CVSS Vector:**CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L

CVEID:CVE-2018-7161
**Description:**Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
**CVSS Base Score:**7.50
**CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144736&gt; for the current score
**CVSS Environmental Score:***Undefined
**CVSS Vector:**CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVEID:CVE-2018-12115
**Description:**Node.js is vulnerable to a denial of service, caused by an out-of-bounds write in Buffer. An attacker could exploit this vulnerability to write to memory outside of a Buffer’s memory space, corrupt Buffer objects or cause the process to crash.
**CVSS Base Score:**8.20
**CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148426&gt; for the current score
**CVSS Environmental Score:***Undefined
**CVSS Vector:**CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVEID:CVE-2018-7166
**Description:**Node.js could allow a remote attacker to obtain sensitive information, caused by the return of uninitialized memory by the Buffer.alloc() function. By sending a specially crafted argument, an attacker could exploit this vulnerability to obtain sensitive information.
**CVSS Base Score:**7.50
**CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148425&gt; for the current score
**CVSS Environmental Score:***Undefined
**CVSS Vector:**CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products and Versions

IBM Security QRadar Packet Capture 7.2.0 - 7.2.8 Patch 4

IBM Security QRadar Packet Capture 7.3.0 - 7.3.1 Patch 1

Remediation/Fixes

QRadar Packet Capture / QRadar Packet Capture Data Node 7.2.8 Patch 5

QRadar Packet Capture / QRadar Packet Capture Data Node 7.3.1 Patch 2

Workarounds and Mitigations

None