Vulnerability Name:

CCN-117537

Published:2016-09-27
Updated:2016-09-27
Summary:Node.js could allow a local attacker to execute arbitrary code on the system, caused by the loading of third-party engine modules when the ENGINE_load_builtin_engines() function is used. By impersonating malicious code as a module, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS v3 Severity:4.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
4.3 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:3.7 Low (CCN CVSS v2 Vector: AV:L/AC:H/Au:N/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Consequences:Gain Access
References:Source: CCN
Type: IBM Security Bulletin N1021765 (i)
Vulnerability CVE-2016-7099 and CVE-2016-5325 in Node.js affects IBM i

Source: CCN
Type: IBM Security Bulletin 1992427 (SDK for Node.js for Bluemix)
Multiple vulnerabilities may affect IBM SDK for Node.js in IBM Bluemix

Source: CCN
Type: IBM Security Bulletin 1992681 (Rational Application Developer for WebSphere Software)
Multiple OpenSSL and Non-OpenSSL vulnerabilities in Node.js included in Rational Application Developer for WebSphere Software.

Source: CCN
Type: IBM Security Bulletin 1995758 (Business Process Manager Advanced)
Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor

Source: CCN
Type: IBM Security Bulletin 1999445 (API Connect)
Multiple vulnerabilities in Node.js affects IBM API Connect (CVE-2016-7099, CVE-2016-5325)

Source: XF
Type: UNKNOWN
nodejs-engineloadbuiltinengines-code-exec(117537)

Source: CCN
Type: Node.js Blog, 2016-09-23
Security updates for all active release lines, September 2016

Source: CCN
Type: IBM Security Bulletin 1985392 (SDK for Node.js)
Multiple vulnerabilities may affect IBM SDK for Node.js

Vulnerable Configuration:Configuration CCN 1:
  • cpe:/a:nodejs:node.js:4.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:0.12.0:*:*:*:*:*:*:*
  • AND
  • cpe:/o:ibm:i:7.1:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.2:*:*:*:*:*:*:*
  • OR cpe:/o:ibm:i:7.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:api_connect:5.0.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    nodejs node.js 4.0.0
    nodejs node.js 6.0.0
    nodejs node.js 0.12.0
    ibm i 7.1
    ibm i 7.2
    ibm i 7.3
    ibm api connect 5.0.1.0