IBM Security Bulletin: Security Bulletin: Vulnerabilities in OpenSSL and ReDoS vulnerability in semver module affect IBM® SDK for Node.js™ in IBM Bluemix (CVE-2016-2107, CVE-2016-2105, CVE-2015-8855)

OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. The “semver” module is vulnerable to regular expression denial of service (ReDoS) when extremely long version strings are parsed.

CVE(s): CVE-2016-2107, CVE-2016-2105, CVE-2015-8855

Affected product(s) and affected version(s):

CVE-2016-2107 affects IBM SDK for Node.js v1.1.1.0 and earlier releases.
All listed vulnerabilities affect IBM SDK for Node.js v1.2.0.11 and earlier releases.
All listed vulnerabilities affect IBM SDK for Node.js v4.4.3.0 and earlier releases.
All listed vulnerabilities affect IBM SDK for Node.js v6.0.0.0.
The corresponding open-source versions are v0.10.44, v0.12.13 and v4.4.3, respectively.

To check which version of the Node.js runtime runtime your Bluemix application is using, navigate to the “Files” menu item for your application through the Bluemix UI. In the “logs” directory, check the “staging_task.log”.

You can also find this file through the command-line Cloud Foundry client by running the following command:

cf files logs/staging_task.log

Look for the following lines:

—–> IBM SDK for Node.js Buildpack _______

If the Node.js engine version is not v0.10.45, v0.12.14 or v4.4.4, your application may be vulnerable.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1UimLfI
X-Force Database: http://ift.tt/1NwOQz5
X-Force Database: http://ift.tt/1NwOPLs
X-Force Database: http://ift.tt/24KfyMe



from IBM Product Security Incident Response Team http://ift.tt/1UimGZo