Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.2114
Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud
14 June 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM SDK for Node.js for Bluemix
Publisher: IBM
Operating System: Linux variants
Impact/Access: Access Privileged Data -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-5739 CVE-2019-5737 CVE-2019-1559
Reference: ASB-2019.0147
ASB-2019.0128
ESB-2019.2060
ESB-2019.2031
Original Bulletin:
http://www.ibm.com/support/docview.wss?uid=ibm10886797
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud
Product: IBM SDK for Node.js for Bluemix
Software version: All Versions
Operating system(s): Linux
Reference #: 0886797
Security Bulletin
Summary
OpenSSL vulnerabilities were disclosed by the OpenSSL Project. OpenSSL is used
by IBM SDK for Node.js for IBM Cloud. IBM SDK for Node.js for IBM Cloud has
addressed the applicable CVEs. Node.js vulnerabilities were disclosed by the
Node.js foundation. Node.js is used by IBM SDK for Node.js for IBM Cloud. IBM
SDK for Node.js for IBM Cloud has addressed the applicable CVEs.
Vulnerability Details
CVEID: CVE-2019-1559
DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive
information, caused by the failure to immediately close the TCP connection
after the hosts encounter a zero-length record with valid padding. An attacker
could exploit this vulnerability using a 0-byte record padding-oracle attack to
decrypt traffic.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
157514 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)
CVEID: CVE-2019-5737
DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an
HTTP or HTTPS connection in keep-alive mode and sending headers very slowly to
force the connection and associated resources to stay alive for a long period
of time, a remote attacker could exploit this vulnerability to consume all
available resources.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158093 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-5739
DESCRIPTION: Node.js is vulnerable to a denial of service. By establishing an
HTTP or HTTPS connection in keep-alive mode forcing the connection to remain
open and inactive for up to 2 minutes, a remote attacker could exploit this
vulnerability to consume all available resources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
158096 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
These vulnerabilities affect IBM SDK for Node.js v6.15.0 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v8.14.0and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v10.14.0.0 and earlier
releases.
Through the command-line Cloud Foundry clientrunthe following command:
cf ssh <appname> -c "cat staging_info.yml"
Look for the following lines:
{"detected_buildpack":"SDK for Node.js(TM) (node.js-xxx, buildpack-v3.xxx)
","start_command":"./vendor/initial_startup.rb"}
If the Node.js engine version is not at least v6.17.0,v8.15.1or v10.15.2your
application may be vulnerable.
Remediation/Fixes
The fixes for these vulnerabilities are included in IBM SDK for Node.js
v6.17.0and subsequent releases.
The fixes for these vulnerabilities are included in IBM SDK for Node.js
v8.15.1and subsequent releases.
The fixes for these vulnerabilities are included in IBM SDK for Node.js
v10.15.2and subsequent releases.
To upgrade to the latest version of the Node.js runtime, please specify the
latest Node.js runtime in your package.json file for your application:
"engines": {
"node": ">=6.17.0"
},
or
"engines": {
"node": ">=8.15.1"
},
or
"engines": {
"node": ">=10.15.2"
},
You will then need to restage (or re-push) your application using the IBM SDK
for Node.js Buildpack v3.26.
Workarounds and Mitigations
None.
Monitor IBM Cloud Status for Future Security Bulletins
Monitor the security notifications on the IBM Cloud Status page to be advised
of future security bulletins.
Change History
6 Jun 2019: Original document published
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXQL7+2aOgq3Tt24GAQhSiw//U5E7X56lez22uq5tEAT7MxlMTArLyM8N
Oy9qQRt5gkVTSzGQKrHqy0iiuIUkL21SgTfYaJn0cKEzO9zntxX/t+aTdyJQ07bz
by8YGevksVKBFI5fQnlt7IRYqZXa946+96JdN/9sAu6V9W8a6DwL34jZThBi3GKT
YjY2nQQ1wukcrvo+AzyUUMY/fKMzZCQts713JPtsAnFnNb9T4iawvqTcWL5a4PgR
x/PD/DK05l+XbU1a5d+t6LH3iNy/t+vqU0GCZaIfK+HkI1A16eiwgxAygrNMnRHi
aQcWpeDFOAe9MhxbZy7ZtxkHmeSLMoK9zWGc0C2e9R+/FGzySvY2ZZ23RuxqoYlJ
mw4VPFgxUSteoYNQZ63Lz5akRDkdxsKf9wBlb/RY/BeYLSDyHixwI4SHjeiaeqyK
U+JbuO6aJBnMtosg143RbkwkftcD4LH2LG4m7ru7KhpONbOxFJXbfkkgOQGnV4lk
s3Mf2NA9XfvKm0OWXRDeX4hOrD7xItF+gjsbqpQX7X1Y+SCJHMa/UHvOUZZS89TS
9Cq1kKLm7Qh2aRzJa5GoBeGDqpJQDKG3Xeko+g1nS2sYBTFZ5S21JFWmXq1zNOpb
w+gNhYT97Qv6zI9TB126ubcqFqVXc/BlIpnujdIWlsA5yY1Re8CeEuvkrYq44XjD
n8cECjVadWE=
=hvNo
-----END PGP SIGNATURE-----