Community

Node.js Runtime Security Fix

Share this post:

There was an OpenSSL security exposure [1] that affects the node.js runtime in Bluemix. This was fixed in an update to the IBM’s node.js version 0.10.28, which is embedded in the latest Bluemix node.js buildpack (v1-20140617-2114). It was also fixed in the open source version of node.js 0.10.29.

We recommend that all existing node.js apps be repushed using this latest buildpack (v1-20140617-2114). You can issue “cf buildpacks” to check the available buildpack versions.

If you specify a range of the node.js runtime for your application, such as 0.10.x, it will be resolved to 0.10.29, which means you will be running with the OSS version of the node.js runtime. In order to run on the IBM supported version, please specify the node.js runtime version explicitly to 0.10.28. We plan to adjust the default node.js version resolving scheme after eGA to prefer IBM supported version as appropriate.

[1] SSL/TLS MITM vulnerability (CVE-2014-0224)

===========================================

An attacker using a carefully crafted handshake can force the use of weak
keying material in OpenSSL SSL/TLS clients and servers. This can be exploited
by a Man-in-the-middle (MITM) attack where the attacker can decrypt and
modify traffic from the attacked client and server.

The attack can only be performed between a vulnerable client and
server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers
are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users
of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za.
OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m.
OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.

Add Comment
No Comments

Leave a Reply

Your email address will not be published.Required fields are marked *

More What's New stories

IBM Cloud and VMware Resiliency: Your Cloud for Business

Raising IT to Today’s Business Challenges In business there has always been a drive to do more with less and the age of IT is a perfect example of this with automated systems and online purchasing. But, as IT has become more and more prolific in the way we live and do business, we have […]

Continue reading

5 Steps to Link your IaaS and PaaS Accounts

A couple of months ago, we released a way for you to streamline your IBM Cloud experience. Essentially, IaaS customers, who also have PaaS accounts, can now link IaaS and PaaS for an easy to navigate, single view of your accounts. When you merge your accounts, you only manage one invoice through one login giving you […]

Continue reading

IBM Cloud Compose for Redis available with TLS encryption

Using TLS encryption means your connections, commands, and data are made safer from interception on the internet. TLS is the standard that took over from SSL for securing web connections and it is also referred to as TLS/SSL or SSL/TLS. We've made TLS encryption support the default for new Redis services. You can, though, still configure Redis without TLS by selecting an alternative plan when creating your Redis instance.

Continue reading