Security Bulletin
Summary
IBM Cloud Private and IBM Cloud Private Cloud Foundry are vulnerable to multiple security vulnerabilities
Vulnerability Details
CVEID: CVE-2018-7167
DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144740 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-7164
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading from the network into JavaScript using the net.Socket object directly as a stream. By sending tiny chunks of data in short succession, a remote attacker could exploit this vulnerability to cause the application to exhaust all memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-7162
DESCRIPTION: Node.js is vulnerable to a denial of service. By sending duplicate/unexpected messages during the handshake, a remote attacker could exploit this vulnerability to cause the node server providing an http server supporting TLS server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2018-1000168
DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141584 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2018-7161
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144736 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM Cloud Private 2.1.0
IBM Cloud Private Cloud Foundry 2.1.0
Remediation/Fixes
| Release | Fixing VRM Level | Platform | Link to Fix |
| IBM Cloud Private 2.1.0.x | 2.1.0.3 Fix Pack 1 + Patch | Linux | |
| IBM Cloud Private Cloud Foundry 2.1.0.x | 2.1.0.3 Fix Pack 1 | Linux | 2.1.0.3 Fix Pack 1 |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
26 September 2018: original document published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
26 September 2018
UID
ibm10718901