Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ in IBM Bluemix (CVE-2017-3735 CVE-2017-14919)

Summary OpenSSL vulnerabilities were disclosed on November 2, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs.A vulnerability was disclosed in October 2017 by the Node.js project. IBM SDK for Node.js has addressed the CVE...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ (CVE-2017-3735 CVE-2017-3736)

Summary OpenSSL vulnerabilities were disclosed on November 2, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-3735 Description: OpenSSL could allow a remote attacker to obtain sensiti...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ in IBM Cloud (CVE-2017-3736, CVE-2017-3737, CVE-2017-3738)

Summary OpenSSL vulnerabilities were disclosed on November 2, 2017 and December 7, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-3736 DESCRIPTION: OpenSSL could allow a remote...

Security Bulletin: Multiple vulnerabilities in current releases of IBM® SDK for Node.js™

Summary This bulletin describes CVE-2015-3197 that was reported on January 26, 2015 by the OpenSSL Project, plus two additional vulnerabilities. Vulnerability Details CVEID: CVE-2015-3197 DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of...

Security Bulletin: Multiple Vulnerabilities in Current Release of IBM® SDK for Node.js™

Summary Multiple vulnerabilities in OpenSSL disclosed on October 15, 2014 by the OpenSSL Project, plus the SSLv3 POODLE vulnerability Vulnerability Details CVE-ID: CVE-2014-3566 DESCRIPTION: Multiple products could allow a remote attacker to obtain sensitive information, caused by a design error...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2016-4560

Summary IBM SDK for Node.js installation executables on the Windows platform are affected by CVE-2016-4560 Vulnerability Details CVEID: CVE-2016-4560 DESCRIPTION: Flexera InstallAnywhere could allow a local attacker to gain elevated privileges on the system, caused by an untrusted search path. An...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8860

Summary Denial of service vulnerability in module tar, used by the npm package management tool Vulnerability Details CVEID: CVE-2015-8860 DESCRIPTION: Node.js tar module could allow a local attacker to launch a symlink attack. Temporary files are created insecurely. A local attacker could exploit...

Security Bulletin: Vulnerability in OpenSSL affects IBM® SDK for Node.js™ in IBM Bluemix (CVE-2015-1793)

Summary OpenSSL alternate chains certificate forgery vulnerability CVE-2015-1793 disclosed by the OpenSSL Project on July 9 2015. IBM SDK for Node.js in IBM Bluemix has addressed this CVE. Vulnerability Details CVEID: CVE-2015-1793 DESCRIPTION: OpenSSL could allow a remote attacker to bypass...

Security Bulletin: Current Release of IBM® SDK for Node.js™ is affected by CVE-2015-0278

Summary Privilege escalation vulnerability in libuv, caused by the failure to invoke setgroups prior to calling setuid and setgid. Vulnerability Details CVE-ID: CVE-2015-0278 Description: libuv could allow a local attacker to gain elevated privileges on the system, caused by the failure to invoke...

Security Bulletin: Multiple vulnerabilities might affect IBM® SDK for Node.js™

Summary Vulnerabilities in Node.js and the c-ares library were disclosed on July 11 2017 by the Node.js Foundation. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-11499 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by a flaw relate...

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™ in IBM Bluemix

Summary Vulnerabilities in Node.js and the c-ares library were disclosed on July 11 2017 by the Node.js Foundation. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-1000381 DESCRIPTION: c-ares could allow a remote attacker to obtain sensitive informatio...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8851

Summary Unsafe fallback to Math.random in module node-uuid, used by the npm package management tool Vulnerability Details CVE-ID: CVE-2015-8851 Description: node.js node-uuid could provide weaker than expected, caused by the use of Math.random instead of a more cryptographically sound source of...

Security Bulletin: Security vulnerabilities in IBM® SDK for Node.js™ affect IBM® SDK for Node.js™ in IBM Cloud (CVE-2018-7158, CVE-2018-7159, CVE-2018-7160)

Summary Security vulnerabilities have been reported in IBM® SDK for Node.js™ that affect IBM® SDK for Node.js™ in IBM Cloud. Vulnerability Details CVEID: CVE-2018-7158 DESCRIPTION: Node.js path module is vulnerable to a denial of service. By sending a specially crafted file path, an attacker coul...

Security Bulletin: Current Release of IBM® SDK for Node.js™ is affected by CVE-2014-5256

Summary V8 JavaScript engine denial of service vulnerability Vulnerability Details CVE-ID: CVE-2014-5256 DESCRIPTION: V8 shipped with Node.js is vulnerable to a denial of service, caused by a memory corruption error. By sending an overly long JSON string, a remote attacker could exploit this...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2015-8855

Summary Denial of service vulnerability in module semver, used by the npm package management tool Vulnerability Details CVEID: CVE-2015-8855 DESCRIPTION: The Node.js semver module is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could...

Security Bulletin: Vulnerabilities in OpenSSL and ReDoS vulnerability in semver module affect IBM® SDK for Node.js™ in IBM Bluemix (CVE-2016-2107, CVE-2016-2105, CVE-2015-8855)

Summary OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. The "semver" module is vulnerable to regular expression denial of service ReDoS when extremely long version strings...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2016-2515 and CVE-2016-2537

Summary Two denial of service vulnerabilities in modules used by the npm package management tool Vulnerability Details CVEID: CVE-2016-2515 DESCRIPTION: Node.js hawk is vulnerable to a denial of service, caused by an error in the regular expression implementation. An attacker could exploit this...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ (CVE-2017-3731 CVE-2017-3732 CVE-2016-7055)

Summary OpenSSL vulnerabilities were disclosed on January 26, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-3731 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by...

Security Bulletin: IBM® SDK for Node.js™ in IBM Bluemix may be affected by CVE-2016-1669

Summary Buffer overflow in the Google V8 Javascript implementation used by IBM SDK for Node.js Vulnerability Details CVEID: CVE-2016-1669 DESCRIPTION: Google Chrome is vulnerable to a buffer overflow, caused by an error in V8. By persuading a victim to visit a specially-crafted Web site, a remote...

Security Bulletin: OpenSSL vulnerability in current release of the IBM® SDK for Node.js™

Summary OpenSSL ECDSA FLUSH+RELOAD cache side-channel attack Vulnerability Details CVE ID: CVE-2014-0076 DESCRIPTION: OpenSSL could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA Elliptic Curve Digital Signature Algorithm. An attacker could...