Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4788
Vulnerability in Node.js affects IBM Integration Bus & IBM
App Connect Enterprise V11
23 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Integration Bus
IBM App Connect Enterprise V11
Publisher: IBM
Operating System: AIX
Solaris
Linux variants
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-9518 CVE-2019-9517 CVE-2019-9516
CVE-2019-9515 CVE-2019-9514 CVE-2019-9513
CVE-2019-9512 CVE-2019-9511
Reference: ASB-2019.0290
ASB-2019.0286
Original Bulletin:
https://www.ibm.com/support/pages/node/1150960
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Vulnerability in Node.js affects IBM Integration Bus & IBM
App Connect Enterprise V11
Security Bulletin
Summary
IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js
for which vulnerabilities were reported and have been
addressed..Vulnerability details are listed below
Vulnerability Details
CVEID: CVE-2019-9511
DESCRIPTION: Some HTTP/2 implementations are vulnerable to window size
manipulation and stream prioritization manipulation, potentially leading
to a denial of service. The attacker requests a large amount of data
from a specified resource over multiple streams. They manipulate window
size and stream priority to force the server to queue the data in 1-byte
chunks. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/164638 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9516
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a header
leak, potentially leading to a denial of service. The attacker sends a
stream of headers with a 0-length header name and 0-length header value,
optionally Huffman encoded into 1-byte or greater headers. Some
implementations allocate memory for these headers and keep the
allocation alive until the session dies. This can consume excess memory.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/165182 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9512
DESCRIPTION: Some HTTP/2 implementations are vulnerable to ping
floods, potentially leading to a denial of service. The attacker sends
continual pings to an HTTP/2 peer, causing the peer to build an internal
queue of responses. Depending on how efficiently this data is queued,
this can consume excess CPU, memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/164903 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9517
DESCRIPTION: Some HTTP/2 implementations are vulnerable to
unconstrained interal data buffering, potentially leading to a denial of
service. The attacker opens the HTTP/2 window so the peer can send
without constraint; however, they leave the TCP window closed so the
peer cannot actually write (many of) the bytes on the wire. The attacker
then sends a stream of requests for a large response object. Depending
on how the servers queue the responses, this can consume excess memory,
CPU, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/165183 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9518
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a flood of
empty frames, potentially leading to a denial of service. The attacker
sends a stream of frames with an empty payload and without the
end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION
and/or PUSH_PROMISE. The peer spends time processing each frame
disproportionate to attack bandwidth. This can consume excess CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/164904 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9515
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a settings
flood, potentially leading to a denial of service. The attacker sends a
stream of SETTINGS frames to the peer. Since the RFC requires that the
peer reply with one acknowledgement per SETTINGS frame, an empty
SETTINGS frame is almost equivalent in behavior to a ping. Depending on
how efficiently this data is queued, this can consume excess CPU,
memory, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/165181 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9513
DESCRIPTION: Some HTTP/2 implementations are vulnerable to resource
loops, potentially leading to a denial of service. The attacker creates
multiple request streams and continually shuffles the priority of the
streams in a way that causes substantial churn to the priority tree.
This can consume excess CPU.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/164639 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-9514
DESCRIPTION: Some HTTP/2 implementations are vulnerable to a reset
flood, potentially leading to a denial of service. The attacker opens a
number of streams and sends an invalid request over each stream that
should solicit a stream of RST_STREAM frames from the peer. Depending on
how the peer queues the RST_STREAM frames, this can consume excess
memory, CPU, or both.
CVSS Base score: 7.5
CVSS Temporal Score: See:
https://exchange.xforce.ibmcloud.com/vulnerabilities/164640 for the
current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM Integration Bus V10.0.0 - V10.0.0.17
IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.5
Remediation/Fixes
+----------------------------------------------------------------------+
| Product | VRMF | APAR | Remediation / Fix |
|-------------+---------------------+---------+------------------------|
| | | | The APAR is available |
| IBM App | | | in fix pack 11.0.0.6 |
| Connect | V11.0.0.0-V11.0.0.5 | IT30356 | IBM App Connect |
| | | | Enterprise Version |
| | | | V11-Fix Pack 11.0.0.6 |
|-------------+---------------------+---------+------------------------|
| | | | The APAR is available |
| IBM | V10.0.0.0 - | | in fix pack 10.0.0.18 |
| Integration | V10.0.0.17 | IT30356 | IBM Integration Bus |
| Bus | | | V10.0 - Fix Pack |
| | | | 10.0.0.18 |
+----------------------------------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product
support alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Off
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
17 Dec 2019: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the
impact of this vulnerability in their environments by accessing the
links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open
standard designed to convey vulnerability severity and help to determine
urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS
IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY
VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXgBZo2aOgq3Tt24GAQgGIA//Q6+FZgQQHKEXnaSL7pi/eafXywbh0WrF
IqoKceLadOJpKX7Z0AK3pjlmSsdJAknhGIu5qWYoPRjHIPNFRsSF0mC2pjQawvz6
X0a7noZUgWH7gwlBOwEJ6QN9UDCzJGBI3OhkZSbP5aN9d2847iWdg9JmiCWh56iR
iipYT5dUPOo9TlGd/qoGODVIy6AkKXw+aEr9csWufy9t5DsJZ563P9cPJEJ1Swsj
wVHglQhxYVSBhq34HyOxfHgCaNL3aYw+oPulT7ncUSPYpsK+bEJ37kwXiHg3+iJ2
u85T1aYTtsj6CKMXo6XNx6Ta9GkSPekChOokFhcS+xRLc2QL3FaarvdTI3Y00wWA
Mjyf05XWexi0TbIqUwv0OlHkao4uZXqzvyR2n2X0MoRz8uIyqBdCu238OvwQ1gGg
rlQbP4TvRkS1lzD/2sOwvX1vW/b1nz7LPJFpovolGmF1wjWQ2P5Xu4vwbO4/BwAz
2dwUbN7e4Ti/5EmcHGoyKwdxu61DOCOISd3IsPe3tXS94EzN6sFgQQ/5PXWxCRbz
5eR874beT0fBNqKKTytm584t/mAyoBs1SogM+y61G8Y5TnjYd2f0FqBsMGvmRzPG
ERsnXnxQOj7yIJ6tOJMxz1ntzM2PmnJBdGFS7W2TmMxOn2UhZrsLVopL2XFVu5X8
2JxHxe4S7TE=
=13fx
-----END PGP SIGNATURE-----