Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4788 Vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 23 December 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Integration Bus IBM App Connect Enterprise V11 Publisher: IBM Operating System: AIX Solaris Linux variants Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-9518 CVE-2019-9517 CVE-2019-9516 CVE-2019-9515 CVE-2019-9514 CVE-2019-9513 CVE-2019-9512 CVE-2019-9511 Reference: ASB-2019.0290 ASB-2019.0286 Original Bulletin: https://www.ibm.com/support/pages/node/1150960 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11 Security Bulletin Summary IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for which vulnerabilities were reported and have been addressed..Vulnerability details are listed below Vulnerability Details CVEID: CVE-2019-9511 DESCRIPTION: Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164638 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9516 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service. The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165182 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9512 DESCRIPTION: Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164903 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9517 DESCRIPTION: Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint; however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165183 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9518 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164904 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9515 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/165181 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9513 DESCRIPTION: Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service. The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164639 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-9514 DESCRIPTION: Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164640 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) Affected Products and Versions IBM Integration Bus V10.0.0 - V10.0.0.17 IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.5 Remediation/Fixes +----------------------------------------------------------------------+ | Product | VRMF | APAR | Remediation / Fix | |-------------+---------------------+---------+------------------------| | | | | The APAR is available | | IBM App | | | in fix pack 11.0.0.6 | | Connect | V11.0.0.0-V11.0.0.5 | IT30356 | IBM App Connect | | | | | Enterprise Version | | | | | V11-Fix Pack 11.0.0.6 | |-------------+---------------------+---------+------------------------| | | | | The APAR is available | | IBM | V10.0.0.0 - | | in fix pack 10.0.0.18 | | Integration | V10.0.0.17 | IT30356 | IBM Integration Bus | | Bus | | | V10.0 - Fix Pack | | | | | 10.0.0.18 | +----------------------------------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Off Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 17 Dec 2019: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXgBZo2aOgq3Tt24GAQgGIA//Q6+FZgQQHKEXnaSL7pi/eafXywbh0WrF IqoKceLadOJpKX7Z0AK3pjlmSsdJAknhGIu5qWYoPRjHIPNFRsSF0mC2pjQawvz6 X0a7noZUgWH7gwlBOwEJ6QN9UDCzJGBI3OhkZSbP5aN9d2847iWdg9JmiCWh56iR iipYT5dUPOo9TlGd/qoGODVIy6AkKXw+aEr9csWufy9t5DsJZ563P9cPJEJ1Swsj wVHglQhxYVSBhq34HyOxfHgCaNL3aYw+oPulT7ncUSPYpsK+bEJ37kwXiHg3+iJ2 u85T1aYTtsj6CKMXo6XNx6Ta9GkSPekChOokFhcS+xRLc2QL3FaarvdTI3Y00wWA Mjyf05XWexi0TbIqUwv0OlHkao4uZXqzvyR2n2X0MoRz8uIyqBdCu238OvwQ1gGg rlQbP4TvRkS1lzD/2sOwvX1vW/b1nz7LPJFpovolGmF1wjWQ2P5Xu4vwbO4/BwAz 2dwUbN7e4Ti/5EmcHGoyKwdxu61DOCOISd3IsPe3tXS94EzN6sFgQQ/5PXWxCRbz 5eR874beT0fBNqKKTytm584t/mAyoBs1SogM+y61G8Y5TnjYd2f0FqBsMGvmRzPG ERsnXnxQOj7yIJ6tOJMxz1ntzM2PmnJBdGFS7W2TmMxOn2UhZrsLVopL2XFVu5X8 2JxHxe4S7TE= =13fx -----END PGP SIGNATURE-----