Community

Node.js Runtime Security Fix

Share this post:

There was an OpenSSL security exposure [1] that affects the node.js runtime in Bluemix. This was fixed in an update to the IBM’s node.js version 0.10.28, which is embedded in the latest Bluemix node.js buildpack (v1-20140617-2114). It was also fixed in the open source version of node.js 0.10.29.

We recommend that all existing node.js apps be repushed using this latest buildpack (v1-20140617-2114). You can issue “cf buildpacks” to check the available buildpack versions.

If you specify a range of the node.js runtime for your application, such as 0.10.x, it will be resolved to 0.10.29, which means you will be running with the OSS version of the node.js runtime. In order to run on the IBM supported version, please specify the node.js runtime version explicitly to 0.10.28. We plan to adjust the default node.js version resolving scheme after eGA to prefer IBM supported version as appropriate.

[1] SSL/TLS MITM vulnerability (CVE-2014-0224)

===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More What's New Stories

Deploying a React web app with IBM Container Services

The IBM NodeJS team has built a starter for developers to quickly create and deploy a MERN stack in a Kubernetes container. You may ask, “What is a MERN stack?” MERN stands for MongoDB, Express, React and NodeJS. Our MERN starter is a working application with a React frontend that makes HTTP requests to an Express/Node.js backend, where sessions are persisted using MongoDB.

Continue reading

Object Storage v1 service being shut down

We’d like to inform you that the Object Store v1 service on Bluemix is being shutdown. The v3 driver will still be available and accessible for use.

Continue reading

What is a geo-intelligent communication platform? Kitewalk explains

Kitewalk is a cloud-based geo-intelligent communication platform which allows sources to get in immediate contact and interact with targets of their interest around their physical locations. Sources are typically users or devices. Targets are generally referred to as geo-content, dynamic content or simply content, and they can be of any nature: other users, IoT devices, houses on sale, events, jobs, projects, you name it (anything which has a physical location and a lifetime is eligible for being dynamic content)!

Continue reading