Security Bulletin: A security vulnerability in Node.js affects IBM Cloud Pak for Watson AIOps Infrastructure Automation

Summary

A security vulnerability in Node.js affects IBM Cloud Pak for Watson AIOps Infrastructure Automation

Vulnerability Details

CVEID:CVE-2022-32215
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the failure to correctly handle multi-line Transfer-Encoding headers by the llhttp parser in the http module. A remote attacker could send a specially-crafted request to lead to HTTP Request Smuggling (HRS). An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230659 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2022-32212
**DESCRIPTION:**Node.js could allow a remote attacker to execute arbitrary code on the system, caused by the failure to properly check if an IP address is invalid or not by IsIPAddress. By controlling the victim’s DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the IsAllowedHost check and execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230660 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

Upgrade to IBM Cloud Pak for Watson AIOps Infrastructure Automation 3.5 by following the instructions at <https://www.ibm.com/docs/en/cloud-paks/cloud-pak-watson-aiops/3.5.0?topic=upgrading-infrastructure-automation&gt;

Workarounds and Mitigations

None