Security Bulletin
Summary
This bulletin describes CVE-2015-3197 that was reported on January 26, 2015 by the OpenSSL Project, plus two additional vulnerabilities.
Vulnerability Details
CVEID: CVE-2015-3197
DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of weak Diffie-Hellman parameters based on unsafe primes that are generated and stored in X9.42-style parameter files. By performing multiple handshakes using the same private DH exponent, an attacker could exploit this vulnerability to conduct man-in-the-middle attacks.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110235 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVE-ID: CVE-2016-2086
DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the improper handling of the Content-Length header. A remote attacker could send a specially-crafted request in a malformed chunked header to the Web server to cause multiple processing conflicts on the servers. An attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base Score: 6.100
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110530 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVE-ID: CVE-2016-2216
DESCRIPTION: Node.js is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input when processing malicious requests. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers containing unicode charactesr and cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning or cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.100
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/110529 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
These vulnerabilities affect IBM SDK for Node.js v1.1.0.18 and earlier releases.
These vulnerabilities affect IBM SDK for Node.js v1.2.0.8 and earlier releases.
A subset of these vulnerabilities affect IBM SDK for Node.js v4.2.6.0 and earlier releases. See Remediation/Fixes section for details.
Remediation/Fixes
CVE ID | Fixed IBM SDK for Node.js releases | ||
|---|---|---|---|
1.1.x | 1.2.x | 4.x | |
CVE-2015-3197 | 1.1.0.19 | 1.2.0.9 | N/A |
CVE-2016-2086 | 1.1.0.19 | 1.2.0.9 | 4.3.0.0 |
CVE-2016-2216 | 1.1.0.19 | 1.2.0.9 | 4.3.0.0 |
IBM SDK for Node.js can be downloaded, subject to the terms of the developerWorks license, from here.
IBM customers requiring an update for an SDK shipped with an IBM product should contact IBM support, and/or refer to the appropriate product security bulletin.
Workarounds and Mitigations
CVE-2015-3197 only applies to IBM SDK for Node.js v1.1.x and 1.2.x if the --enable-ssl2 command line argument is being used. This option is not enabled by default.
Get Notified about Future Security Bulletins
References
Change History
February 16 2016: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
08 August 2018
UID
swg21976356