IBM Support

Security Bulletin: Multiple Security Vulnerabilities affect IBM® Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161)

Created by Cynthia Glass on
Published URL:
https://www.ibm.com/support/pages/node/718901
718901

Security Bulletin


Summary

IBM Cloud Private and IBM Cloud Private Cloud Foundry are vulnerable to multiple security vulnerabilities

Vulnerability Details

CVEID: CVE-2018-7167
DESCRIPTION: Node.js is vulnerable to a denial of service. By invoking Buffer.fill() or Buffer.alloc() , a remote attacker could exploit this vulnerability to cause the application to hang.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144740 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-7164
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading from the network into JavaScript using the net.Socket object directly as a stream. By sending tiny chunks of data in short succession, a remote attacker could exploit this vulnerability to cause the application to exhaust all memory resources.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144739 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7162
DESCRIPTION: Node.js is vulnerable to a denial of service. By sending duplicate/unexpected messages during the handshake, a remote attacker could exploit this vulnerability to cause the node server providing an http server supporting TLS server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144738 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2018-1000168
DESCRIPTION: nghttp2 is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141584 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-7161
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error within the http2 implementation. By interacting with the http2 server in an insecure manner, a remote attacker could exploit this vulnerability to cause the node server providing an http2 server to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144736 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Cloud Private 2.1.0

IBM Cloud Private Cloud Foundry 2.1.0

Remediation/Fixes

Release Fixing VRM Level Platform Link to Fix
IBM Cloud Private 2.1.0.x 2.1.0.3 Fix Pack 1 + Patch Linux

2.1.0.3 Fix Pack 1

Helm API Patch

Vulnerability Advisor Patch

IBM Cloud Private Cloud Foundry 2.1.0.x 2.1.0.3 Fix Pack 1 Linux 2.1.0.3 Fix Pack 1

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

26 September 2018: original document published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSBS6K","label":"IBM Cloud Private"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
26 September 2018

UID

ibm10718901