Community

Node.js Runtime Security Fix

There was an OpenSSL security exposure [1] that affects the node.js runtime in Bluemix. This was fixed in an update to the IBM’s node.js version 0.10.28, which is embedded in the latest Bluemix node.js buildpack (v1-20140617-2114). It was also fixed in the open source version of node.js 0.10.29.

We recommend that all existing node.js apps be repushed using this latest buildpack (v1-20140617-2114). You can issue “cf buildpacks” to check the available buildpack versions.

If you specify a range of the node.js runtime for your application, such as 0.10.x, it will be resolved to 0.10.29, which means you will be running with the OSS version of the node.js runtime. In order to run on the IBM supported version, please specify the node.js runtime version explicitly to 0.10.28. We plan to adjust the default node.js version resolving scheme after eGA to prefer IBM supported version as appropriate.

[1] SSL/TLS MITM vulnerability (CVE-2014-0224)

===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Share this post:

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More Community Stories

Bluemix in the News

Too busy coding to keep up with all the exciting happenings in the Bluemix world? Well don’t worry! Every other week, this concise post will summarize announcements, videos, and events that Bluemix has been involved in because we understand your busy schedule, but we also know your desire to learn more about Bluemix!

Continue reading

Nine ways hybrid cloud delivers real IT and business benefit

What is hybrid cloud and how to exploit it for real value? Learn about the practical benefits, such as improvement to agile development, performance, skills and component reuse, leveraging hybrid cloud for test and development, etc. More...

Continue reading

Retirement of Beta Services – Virtual Servers, Block Storage, Network Security Groups

With yesterday’s introduction of infrastructure services now available to purchase in IBM Bluemix, effective October 25, 2016, we are retiring the following Beta services: Bluemix Virtual Servers, Block Storage, and Network Security Groups.

Continue reading