High Severity

IBM Security Bulletin: Multiple vulnerabilities in Node.js affect IBM i

Share this post:

Node.js is supported by IBM i. IBM i has addressed the vulnerabilities.

CVE(s): CVE-2019-9517, CVE-2019-9518, CVE-2019-9515, CVE-2019-9516, CVE-2019-9513, CVE-2019-9514, CVE-2019-9511, CVE-2019-9512

Affected product(s) and affected version(s):

Releases 7.4, 7.3 and 7.2 of IBM i are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/pages/node/1072144
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/165183
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/164904
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/165181
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/165182
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/164639
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/164640
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/164638
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/164903

More stories

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Performance Management products

Nov 18, 2019 7:00 pm EST | High Severity

CVEID:   CVE-2019-11772 DESCRIPTION:   In Eclipse OpenJ9 prior to 0.15, the String.getBytes(int, int, byte[], int) method does not verify that the provided byte array is non-null nor that the provided index is in bounds when compiled by the JIT. This allows arbitrary writes to any 32-bit address or beyond the end of a byte array within Java code run under a SecurityManager.CVSS Base score: 8.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163990 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID:   CVE-2019-2766 DESCRIPTION:   Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).CVSS Base score: 3.1CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163829 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N) CVEID:   CVE-2019-2786 DESCRIPTION:   Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Security). Supported versions that are affected are Java SE: 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 3.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N).CVSS Base score: 3.4CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163849 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N) CVEID:   CVE-2019-2816 DESCRIPTION:   Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Networking). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).CVSS Base score: 4.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163878 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID:   CVE-2019-2762 DESCRIPTION:   Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163826 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID:   CVE-2019-2769 DESCRIPTION:   Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Utilities). Supported versions that are affected are Java SE: 7u221, 8u212, 11.0.3 and 12.0.1; Java SE Embedded: 8u211. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).CVSS Base score: 5.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163832 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID:   CVE-2019-7317 DESCRIPTION:   png_image_free in png.c in libpng 1.6.x before 1.6.37 has a use-after-free because png_image_free_function is called under png_safe_execute.CVSS Base score: 3.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161346 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) ...read more


Security Bulletin: Vulnerabilities in Curl affect PowerSC (CVE-2019-5435, CVE-2019-5436)

Nov 18, 2019 7:00 pm EST | High Severity

CVEID:   CVE-2019-5435 DESCRIPTION:   An integer overflow in curl's URL API results in a buffer overflow in libcurl 7.62.0 to and including 7.64.1.CVSS Base score: 7.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161429 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) CVEID:   CVE-2019-5436 DESCRIPTION:   A heap buffer overflow in the TFTP receiving code allows for DoS or arbitrary code execution in libcurl versions 7.19.4 through 7.64.1.CVSS Base score: 6.3CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161431 for the current score.CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ...read more


Security Bulletin: CSV Injection (CVE-2019-4490)

Nov 14, 2019 7:00 pm EST | High Severity

CVEID:   CVE-2019-4490 DESCRIPTION:   CVSS Base score: 7.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164111 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) ...read more