Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.2114 Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud 14 June 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM SDK for Node.js for Bluemix Publisher: IBM Operating System: Linux variants Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-5739 CVE-2019-5737 CVE-2019-1559 Reference: ASB-2019.0147 ASB-2019.0128 ESB-2019.2060 ESB-2019.2031 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10886797 - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud Product: IBM SDK for Node.js for Bluemix Software version: All Versions Operating system(s): Linux Reference #: 0886797 Security Bulletin Summary OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has addressed the applicable CVEs. Node.js vulnerabilities were disclosed by the Node.js foundation. Node.js is used by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2019-1559 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by the failure to immediately close the TCP connection after the hosts encounter a zero-length record with valid padding. An attacker could exploit this vulnerability using a 0-byte record padding-oracle attack to decrypt traffic. CVSS Base Score: 5.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 157514 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) CVEID: CVE-2019-5737 DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode and sending headers very slowly to force the connection and associated resources to stay alive for a long period of time, a remote attacker could exploit this vulnerability to consume all available resources. CVSS Base Score: 5.9 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158093 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-5739 DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an HTTP or HTTPS connection in keep-alive mode forcing the connection to remain open and inactive for up to 2 minutes, a remote attacker could exploit this vulnerability to consume all available resources. CVSS Base Score: 7.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 158096 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions These vulnerabilities affect IBM SDK for Node.js v6.15.0 and earlier releases. These vulnerabilities affect IBM SDK for Node.js v8.14.0and earlier releases. These vulnerabilities affect IBM SDK for Node.js v10.14.0.0 and earlier releases. Through the command-line Cloud Foundry clientrunthe following command: cf ssh <appname> -c "cat staging_info.yml" Look for the following lines: {"detected_buildpack":"SDK for Node.js(TM) (node.js-xxx, buildpack-v3.xxx) ","start_command":"./vendor/initial_startup.rb"} If the Node.js engine version is not at least v6.17.0,v8.15.1or v10.15.2your application may be vulnerable. Remediation/Fixes The fixes for these vulnerabilities are included in IBM SDK for Node.js v6.17.0and subsequent releases. The fixes for these vulnerabilities are included in IBM SDK for Node.js v8.15.1and subsequent releases. The fixes for these vulnerabilities are included in IBM SDK for Node.js v10.15.2and subsequent releases. To upgrade to the latest version of the Node.js runtime, please specify the latest Node.js runtime in your package.json file for your application: "engines": { "node": ">=6.17.0" }, or "engines": { "node": ">=8.15.1" }, or "engines": { "node": ">=10.15.2" }, You will then need to restage (or re-push) your application using the IBM SDK for Node.js Buildpack v3.26. Workarounds and Mitigations None. Monitor IBM Cloud Status for Future Security Bulletins Monitor the security notifications on the IBM Cloud Status page to be advised of future security bulletins. Change History 6 Jun 2019: Original document published - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXQL7+2aOgq3Tt24GAQhSiw//U5E7X56lez22uq5tEAT7MxlMTArLyM8N Oy9qQRt5gkVTSzGQKrHqy0iiuIUkL21SgTfYaJn0cKEzO9zntxX/t+aTdyJQ07bz by8YGevksVKBFI5fQnlt7IRYqZXa946+96JdN/9sAu6V9W8a6DwL34jZThBi3GKT YjY2nQQ1wukcrvo+AzyUUMY/fKMzZCQts713JPtsAnFnNb9T4iawvqTcWL5a4PgR x/PD/DK05l+XbU1a5d+t6LH3iNy/t+vqU0GCZaIfK+HkI1A16eiwgxAygrNMnRHi aQcWpeDFOAe9MhxbZy7ZtxkHmeSLMoK9zWGc0C2e9R+/FGzySvY2ZZ23RuxqoYlJ mw4VPFgxUSteoYNQZ63Lz5akRDkdxsKf9wBlb/RY/BeYLSDyHixwI4SHjeiaeqyK U+JbuO6aJBnMtosg143RbkwkftcD4LH2LG4m7ru7KhpONbOxFJXbfkkgOQGnV4lk s3Mf2NA9XfvKm0OWXRDeX4hOrD7xItF+gjsbqpQX7X1Y+SCJHMa/UHvOUZZS89TS 9Cq1kKLm7Qh2aRzJa5GoBeGDqpJQDKG3Xeko+g1nS2sYBTFZ5S21JFWmXq1zNOpb w+gNhYT97Qv6zI9TB126ubcqFqVXc/BlIpnujdIWlsA5yY1Re8CeEuvkrYq44XjD n8cECjVadWE= =hvNo -----END PGP SIGNATURE-----