Vulnerability Name:

CVE-2018-7164 (CCN-144739)

Assigned:2018-06-12
Published:2018-06-12
Updated:2022-08-29
Summary:Node.js versions 9.7.0 and later and 10.x are vulnerable and the severity is MEDIUM. A bug introduced in 9.7.0 increases the memory consumed when reading from the network into JavaScript using the net.Socket object directly as a stream. An attacker could use this cause a denial of service by sending tiny chunks of data in short succession. This vulnerability was restored by reverting to the prior behaviour.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2018-7164

Source: CCN
Type: IBM Security Bulletin 0715995 (i)
Multiple Vulnerabilities in Node.js affect IBM i

Source: CCN
Type: IBM Security Bulletin 2012749 (SDK for Node.js for Bluemix)
Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud

Source: BID
Type: Third Party Advisory, VDB Entry
104463

Source: CCN
Type: BID-104463
Node.js CVE-2018-7164 Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
nodejs-cve20187164-dos(144739)

Source: CCN
Type: Node.js Blog, 2018-06-12
June 2018 Security Releases

Source: CONFIRM
Type: Vendor Advisory
https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/

Source: GENTOO
Type: Third Party Advisory
GLSA-202003-48

Source: CCN
Type: IBM Security Bulletin 718901 (Cloud Private)
Multiple Security Vulnerabilities affect IBM Cloud Private and IBM Cloud Private Cloud Foundry (CVE-2018-7167, CVE-2018-7164, CVE-2018-7162, CVE-2018-1000168, CVE-2018-7161)

Source: CCN
Type: IBM Security Bulletin 2016866 (Business Automation Workflow)
Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and Business Process Manager (BPM)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:*:*:*:* (Version >= 10.0.0 and < 10.4.1)
  • OR cpe:/a:nodejs:node.js:*:*:*:*:*:*:*:* (Version >= 9.7.0 and < 9.11.2)

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:9.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:nodejs:node.js:10.0.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:i2_enterprise_insight_analysis:2.1.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:2.1.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20187164
    V
    		CVE-2018-7164
    2022-09-02
    oval:org.opensuse.security:def:94259
    P
    		 (Important)
    2022-07-12
    oval:org.opensuse.security:def:1681
    P
    		Security update for qemu (Important) (in QA)
    2022-06-13
    oval:org.opensuse.security:def:1094
    P
    		Security update for libqt5-qtbase (Important)
    2022-03-15
    oval:org.opensuse.security:def:1689
    P
    		Security update for python-Twisted (Important)
    2022-02-18
    oval:org.opensuse.security:def:71348
    P
    		mozilla-nspr-32bit-4.20-3.3.2 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:66928
    P
    		Security update for grafana-piechart-panel (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:64761
    P
    		Security update for java-11-openjdk (Important)
    2021-09-03
    oval:org.opensuse.security:def:70284
    P
    		Security update for mariadb (Moderate)
    2021-08-25
    oval:org.opensuse.security:def:48168
    P
    		libpcap1-1.8.1-10.3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47751
    P
    		libnm-glib-vpn1-1.0.12-13.6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48316
    P
    		sysconfig-0.84.0-13.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47615
    P
    		gdk-pixbuf-lang-2.34.0-19.17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47944
    P
    		alsa-1.0.27.2-15.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47616
    P
    		gdk-pixbuf-loader-rsvg-2.40.20-5.6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:48076
    P
    		libXfixes3-32bit-5.0.1-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:47630
    P
    		groff-1.22.2-5.287 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:100972
    P
    		libsha1detectcoll-devel-1.0.3-2.18 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:68008
    P
    		Security update for the Linux Kernel (Live Patch 22 for SLE 15 SP1) (Important)
    2021-07-14
    oval:org.opensuse.security:def:66836
    P
    		Security update for gupnp (Important)
    2021-06-18
    oval:org.opensuse.security:def:48843
    P
    		imobiledevice-tools-1.2.0-7.31 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48676
    P
    		gnome-shell-calendar-3.10.4-22.13 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48741
    P
    		libproxy1-networkmanager-32bit-0.4.11-11.6 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48530
    P
    		libopenssl-devel-1.0.2j-55.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48772
    P
    		gcc48-gij-32bit-4.8.5-30.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:48614
    P
    		res-signingkeys-3.0.18-26.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:73619
    P
    		Security update for dtc (Low)
    2021-05-13
    oval:org.opensuse.security:def:64674
    P
    		Security update for python3 (Moderate)
    2021-03-24
    oval:org.opensuse.security:def:68108
    P
    		Security update for the Linux Kernel (Live Patch 18 for SLE 15 SP1) (Important)
    2021-03-17
    oval:org.opensuse.security:def:90088
    P
    		nodejs10-10.15.2-1.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:71461
    P
    		cpp7-7.5.0+r278197-4.16.2 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2319
    P
    		nodejs10-10.19.0-1.18.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:103743
    P
    		nodejs10-10.15.2-1.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63400
    P
    		nodejs10-10.15.2-1.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:107638
    P
    		nodejs10-10.19.0-1.18.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63408
    P
    		nodejs10-10.19.0-1.18.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:117196
    P
    		nodejs10-10.19.0-1.18.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:2311
    P
    		nodejs10-10.15.2-1.6.1 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:50068
    P
    		libecpg6 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:73501
    P
    		glibc-devel-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50122
    P
    		nodejs10 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50076
    P
    		libsaml-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:70179
    P
    		log4j12-javadoc on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:50130
    P
    		nodejs10 on GA media (Moderate)
    2020-12-01
    oval:com.ubuntu.artful:def:20187164000
    V
    		CVE-2018-7164 on Ubuntu 17.10 (artful) - untriaged.
    2018-06-13
    oval:com.ubuntu.bionic:def:201871640000000
    V
    		CVE-2018-7164 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-06-13
    oval:com.ubuntu.bionic:def:20187164000
    V
    		CVE-2018-7164 on Ubuntu 18.04 LTS (bionic) - medium.
    2018-06-13
    oval:com.ubuntu.xenial:def:201871640000000
    V
    		CVE-2018-7164 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-13
    oval:com.ubuntu.trusty:def:20187164000
    V
    		CVE-2018-7164 on Ubuntu 14.04 LTS (trusty) - medium.
    2018-06-13
    oval:com.ubuntu.xenial:def:20187164000
    V
    		CVE-2018-7164 on Ubuntu 16.04 LTS (xenial) - medium.
    2018-06-13
    BACK
    nodejs node.js *
    nodejs node.js *
    nodejs node.js 9.7.0
    nodejs node.js 10.0.0
    ibm business automation workflow 18.0.0.0
    ibm i2 enterprise insight analysis 2.1.7
    ibm cloud private 2.1.0