Vulnerability Name:

CVE-2019-5739 (CCN-158096)

Assigned:2019-02-28
Published:2019-02-28
Updated:2020-10-16
Summary:Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-770
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2019-5739

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2019:1076

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2019:1173

Source: CCN
Type: IBM Security Bulletin 878584 (Voice Gateway)
Multiple security vulnerabilities in Node.js affect IBM Voice Gateway

Source: CCN
Type: IBM Security Bulletin 886797 (SDK for Node.js for Bluemix)
Multiple vulnerabilities affect IBM SDK for Node.js in IBM Cloud

Source: XF
Type: UNKNOWN
nodejs-cve20195739-dos(158096)

Source: CCN
Type: Node.js Blog, 2019-02-28
February 2019 Security Releases

Source: MISC
Type: Vendor Advisory
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

Source: GENTOO
Type: Third Party Advisory
GLSA-202003-48

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190502-0008/

Source: CCN
Type: IBM Security Bulletin 787619 (i)
Vulnerabilities CVE-2019-5739 and CVE-2019-5737 in Node.js affect IBM i

Source: CCN
Type: IBM Security Bulletin 876608 (Business Automation Workflow)
Security vulnerabilities in IBM SDK for Node.js might affect the configuration editor used by IBM Business Automation Workflow and IBM Business Process Manager (BPM)

Source: CCN
Type: IBM Security Bulletin 879891 (Cloud Private)
Multiple Security Vulnerabilities affect IBM Cloud Private (CVE-2019-5739 CVE-2019-5737 CVE-2019-1559)

Source: CCN
Type: IBM Security Bulletin 886471 (Secure Gateway Client)
Secure Gateway is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 957299 (Watson Developer Cloud)
Multiple vulnerabilities affect IBM Watson Assistant for IBM Cloud Pak for Data

Source: CCN
Type: IBM Security Bulletin 957439 (Integration Bus)
Vulnerability in Node.js affects IBM Integration Bus & IBM App Connect Enterprise V11

Source: CCN
Type: IBM Security Bulletin 961594 (Security QRadar Packet Capture)
Node.js as used in IBM QRadar Packet Capture is vulnerable to the following CVE's (CVE-2019-1559, CVE-2019-5737, CVE-2019-5739)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:lts:*:*:* (Version <= 6.16.0)

    • Configuration 2:
  • cpe:/o:opensuse:leap:42.3:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:6.0.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:business_automation_workflow:18.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:18.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_private:3.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:business_automation_workflow:19.0.0.1:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20195739
    V
    		CVE-2019-5739
    2022-05-22
    oval:org.opensuse.security:def:59874
    P
    		Security update for MozillaFirefox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:57541
    P
    		Security update for MozillaFirefox (Important)
    2021-12-12
    oval:org.opensuse.security:def:38744
    P
    		Security update for bind (Important)
    2021-11-09
    oval:org.opensuse.security:def:58026
    P
    		Security update for the Linux Kernel (Live Patch 40 for SLE 12 SP3) (Important)
    2021-10-18
    oval:org.opensuse.security:def:57096
    P
    		Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)
    2021-09-23
    oval:org.opensuse.security:def:14262
    P
    		libnetpbm11-10.66.3-7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13995
    P
    		p7zip-9.20.1-6.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14356
    P
    		procmail-3.22-267.12 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14342
    P
    		pcsc-ccid-1.4.25-4.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14133
    P
    		fetchmail-6.3.26-12.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14084
    P
    		apache2-mod_apparmor-2.8.2-49.21 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:15015
    P
    		libjpeg62-32bit-62.2.0-31.14.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14263
    P
    		libnghttp2-14-1.7.1-1.84 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14169
    P
    		ibus-chewing-1.4.14-4.11 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13986
    P
    		mozilla-nspr-32bit-4.12-15.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14343
    P
    		perl-32bit-5.18.2-11.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14331
    P
    		openslp-2.0.0-17.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14085
    P
    		apache2-mod_jk-1.2.40-5.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:15016
    P
    		libjson-c2-0.11-2.15 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14016
    P
    		python-imaging-1.1.7-21.15 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14993
    P
    		libgc1-7.2d-5.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14170
    P
    		ipsec-tools-0.8.0-18.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13987
    P
    		mutt-1.6.0-54.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14150
    P
    		gnome-shell-3.20.4-76.3 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14287
    P
    		libsndfile1-1.0.25-35.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14332
    P
    		openssh-7.2p2-69.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14017
    P
    		python-libxml2-2.9.4-27.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14994
    P
    		libgcab-1_0-0-0.6-1.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13994
    P
    		opie-2.4-724.56 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14355
    P
    		ppp-2.4.7-3.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14151
    P
    		gnutls-3.3.27-1.10 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14132
    P
    		expat-2.1.0-20.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14288
    P
    		libsnmp30-32bit-5.7.3-4.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:57934
    P
    		Security update for MozillaFirefox (Important)
    2021-06-08
    oval:org.opensuse.security:def:38090
    P
    		Security update for bind (Important)
    2021-05-04
    oval:org.opensuse.security:def:39535
    P
    		Security update for tomcat6 (Important)
    2021-04-21
    oval:org.opensuse.security:def:60481
    P
    		Security update for python3 (Moderate)
    2021-03-19
    oval:org.opensuse.security:def:58100
    P
    		Security update for the Linux Kernel (Live Patch 35 for SLE 12 SP3) (Important)
    2021-03-17
    oval:org.opensuse.security:def:38089
    P
    		Security update for bind (Important)
    2021-02-18
    oval:org.opensuse.security:def:57826
    P
    		Security update for python-cryptography (Moderate)
    2020-12-04
    oval:org.opensuse.security:def:59438
    P
    		Security update for python3 (Important)
    2020-12-02
    oval:org.opensuse.security:def:56718
    P
    		Security update for samba, talloc, tevent (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58219
    P
    		Security update for systemd (Important)
    2020-12-01
    oval:org.opensuse.security:def:37995
    P
    		libz1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59992
    P
    		Security update for clamav (Important)
    2020-12-01
    oval:org.opensuse.security:def:38812
    P
    		tftp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:57269
    P
    		Security update for Xen
    2020-12-01
    oval:org.opensuse.security:def:38783
    P
    		python-libxml2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38227
    P
    		java-1_7_0-openjdk on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60599
    P
    		Security update for dnsmasq (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39536
    P
    		Security update for nodejs6 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39493
    P
    		Security update for python3 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38477
    P
    		rzsz on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37994
    P
    		libykcs11-1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38386
    P
    		libudisks2-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60696
    P
    		Security update for krb5-appl (Important)
    2020-12-01
    oval:org.opensuse.security:def:38695
    P
    		liblua5_2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59280
    P
    		Security update for dovecot22 (Important)
    2020-12-01
    oval:org.opensuse.security:def:60909
    P
    		Security update for MozillaFirefox (Important)
    2020-12-01
    oval:org.opensuse.security:def:56696
    P
    		Security update for drm (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58138
    P
    		Security update for bzip2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:38784
    P
    		python-pyOpenSSL on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:58243
    P
    		Security update for nodejs6 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39494
    P
    		Security update for nodejs6 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38005
    P
    		mipv6d on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38855
    P
    		lcms on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56695
    P
    		Security update for libdb-4_8 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38387
    P
    		libunwind on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38328
    P
    		libmusicbrainz4 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38696
    P
    		liblzo2-2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38636
    P
    		libQt5Concurrent5 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59258
    P
    		Security update for the Linux Kernel (Live Patch 33 for SLE 12 SP2) (Important)
    2020-12-01
    oval:org.opensuse.security:def:60818
    P
    		Security update for mariadb (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59691
    P
    		Security update for freetype2 (Important)
    2020-12-01
    oval:org.opensuse.security:def:38745
    P
    		libxcb-dri2-0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60938
    P
    		Security update for nodejs6 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56858
    P
    		Security update for systemd (Important)
    2020-12-01
    oval:org.opensuse.security:def:58169
    P
    		Security update for java-1_8_0-ibm (Important)
    2020-12-01
    oval:org.opensuse.security:def:38006
    P
    		mozilla-nspr-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60181
    P
    		Security update for postgresql, postgresql96, postgresql10 and postgresql12 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38856
    P
    		libIlmImf-Imf_2_1-21-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:59257
    P
    		Security update for bind (Important)
    2020-12-01
    oval:org.opensuse.security:def:57375
    P
    		Security update for jasper
    2020-12-01
    oval:org.opensuse.security:def:38811
    P
    		tcpdump on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38329
    P
    		libmysqlclient18 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38226
    P
    		java-11-openjdk on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38637
    P
    		libQt5WebKit5 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38476
    P
    		ruby on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37993
    P
    		libyaml-0-2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60780
    P
    		Security update for spice (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:60859
    P
    		Security update for libssh2_org (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:84391
    P
    		Security update for nodejs6 (Moderate)
    2019-03-29
    oval:org.opensuse.security:def:80878
    P
    		Security update for nodejs6 (Moderate)
    2019-03-29
    oval:com.ubuntu.xenial:def:201957390000000
    V
    		CVE-2019-5739 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-03-28
    oval:com.ubuntu.bionic:def:20195739000
    V
    		CVE-2019-5739 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-03-28
    oval:com.ubuntu.cosmic:def:20195739000
    V
    		CVE-2019-5739 on Ubuntu 18.10 (cosmic) - medium.
    2019-03-28
    oval:com.ubuntu.cosmic:def:201957390000000
    V
    		CVE-2019-5739 on Ubuntu 18.10 (cosmic) - medium.
    2019-03-28
    oval:com.ubuntu.trusty:def:20195739000
    V
    		CVE-2019-5739 on Ubuntu 14.04 LTS (trusty) - medium.
    2019-03-28
    oval:com.ubuntu.bionic:def:201957390000000
    V
    		CVE-2019-5739 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-03-28
    oval:com.ubuntu.xenial:def:20195739000
    V
    		CVE-2019-5739 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-03-28
    BACK
    nodejs node.js *
    opensuse leap 42.3
    nodejs node.js 6.0.0
    ibm business automation workflow 18.0.0.0
    ibm cloud private 2.1.0
    ibm business automation workflow 18.0.0.1
    ibm cloud private 3.1.0
    ibm integration bus 10.0.0
    ibm cloud private 3.1.1
    ibm business automation workflow 18.0.0.2
    ibm cloud private 3.1.2
    ibm business automation workflow 19.0.0.1