Community

Node.js Runtime Security Fix

Share this post:

There was an OpenSSL security exposure [1] that affects the node.js runtime in Bluemix. This was fixed in an update to the IBM’s node.js version 0.10.28, which is embedded in the latest Bluemix node.js buildpack (v1-20140617-2114). It was also fixed in the open source version of node.js 0.10.29.

We recommend that all existing node.js apps be repushed using this latest buildpack (v1-20140617-2114). You can issue “cf buildpacks” to check the available buildpack versions.

If you specify a range of the node.js runtime for your application, such as 0.10.x, it will be resolved to 0.10.29, which means you will be running with the OSS version of the node.js runtime. In order to run on the IBM supported version, please specify the node.js runtime version explicitly to 0.10.28. We plan to adjust the default node.js version resolving scheme after eGA to prefer IBM supported version as appropriate.

[1] SSL/TLS MITM vulnerability (CVE-2014-0224)

===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

More stories
February 22, 2019

IBM Cloud Monitoring with Sysdig is Available in Frankfurt

Today, we're excited to announce the availability of IBM Cloud Monitoring with Sysdig in the Frankfurt, Germany multi-zone region. IBM Cloud Monitoring with Sysdig is a fully managed, enterprise-grade monitoring solution on IBM Cloud that provides increased insight and faster incident resolution via a simplified data collection approach.

Continue reading

February 21, 2019

IBM Cloud Kubernetes Service Available in Mexico City

IBM Cloud Kubernetes Service is a managed Kubernetes offering that delivers powerful management tools, an intuitive user experience, and built-in security and isolation. Today, we are excited to announce the availability of the IBM Cloud Kubernetes Service in Mexico City, Mexico.

Continue reading

February 15, 2019

Liberty for Java Buildpack Now Contains Two Liberty Production Runtimes

The Liberty runtime is moving from a quarterly to a four-week release cycle. As a result, the buildpack will release new functions and fixes quicker. Users of the Liberty for Java buildpack will notice a few changes to the Liberty versions packaged with the buildpack.

Continue reading