-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4356
Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud
10 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Cloud
Publisher: IBM
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-8277
Reference: ESB-2020.4264
ESB-2020.4214
ESB-2020.4188
ESB-2020.4164
Original Bulletin:
https://www.ibm.com/support/pages/node/6380404
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple vulnerabilities affect IBM® SDK for Node.js™ in IBM Cloud
Document Information
Document number : 6380404
Modified date : 09 December 2020
Product : IBM SDK for Node.js for Bluemix
Software version : All
Operating system(s): Linux
Summary
Node.js (16-Nov-2020) Security releases available
Vulnerability Details
CVEID: CVE-2020-8277
DESCRIPTION: Node.js is vulnerable to a denial of service. By getting the
application to resolve a DNS record with a larger number of responses, an
attacker could exploit this vulnerability to trigger a DNS request for a host
of their choice resulting in a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
191755 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
12.x versions of Node.js are vulnerable.
Through the command-line Cloud Foundry client run the following command:
cf ssh -c "cat app/logs/staging_task.log" | grep "Installing node"
- -----> Installing node 12.19.1
Alternatively, through the command-line Cloud Foundry client run the following
command:
$ cf ssh -c "cat app/logs/staging_task.log" | grep "IBM SDK for
Node.js"
- -----> IBM SDK for Node.js Buildpack v4.5-20201130-1530
If the Buildpack version is not at least v4.5 your application may be
vulnerable.
Remediation/Fixes
The fixes for these vulnerabilities are included in Node.js v12.19.1 and
subsequent releases.
To upgrade to the latest version of the Node.js runtime, please specify the
latest Node.js runtime in your package.json file for your application:
"engines": {
"node": "12.*"
},
You will then need to restage (or re-push) your application using the IBM SDK
for Node.js Buildpack v4.5.
Workarounds and Mitigations
None
References
Change History
09 Dec 2020: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX9F57uNLKJtyKPYoAQgQBw/+PNrqnjeQ+qiFCTMRqtYpWSIC5nSq45zC
VRTrqnEiyEzUkRznmSTVWlLPV1GTBSF5Pj7L17Z6NxzYBbFxcWo/avgK06DsRUjB
OOSJMZNWvdQm+N7dndESNzI41Mqk4XBa9uqYbZaH/y2O8ahCaNnxmmUAyln4sVtF
BN5zaCNAf9FRHbxdq5yTUo4GDXduzl7owMXSPGM4r1d6nv1iscRPCEGSzxTRcI7M
uYrwQiwif6xWxfAMrFjC0+QoJ7SEAf3gOIw7BIop5RV0eupWsVK9nmsQzDMRRClT
xnsw0jsydKZOhI788B6JtlNggFVTCzP8irF2fFUNzQ8Q1jWMWSpl8CfkgXXYWpE/
wPWtPJUYSQCZgDvzen6aYnhI10POtvXMwITPvqIrKaNjCciUI5VLzJtC8YTgtnP5
BI71fC+uiDkpO/qZb42xZVGzK0mGjsHv3+oztOblkXcmzc9txKhlYQC4a2Mqyslz
/fGztMoPrHFagFp2gNpyS6uzJcMmP2A8hfYwWyzZoUQJICjAQV48hNQ5PmqqyhPn
Wxc2Usx8fAIKWiM9JJwDtoKrXx9nOYFRA0wgVvTQ+9bo2p8xBk62ryqSDIXsVMM9
c7/u/LYI67aO26HOgIQC+HoxlCdAfTMLDVBb+TQvWbIL3MQan+Q4rHSMF8aXqiIE
8nYE48knSPU=
=g0cy
-----END PGP SIGNATURE-----
The post ESB-2020.4356 – [Linux] IBM Cloud: Denial of service – Remote/unauthenticated appeared first on Malware Devil.
https://malwaredevil.com/2020/12/10/esb-2020-4356-linux-ibm-cloud-denial-of-service-remote-unauthenticated/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2020-4356-linux-ibm-cloud-denial-of-service-remote-unauthenticated
No comments:
Post a Comment