The version of F5 Networks BIG-IP installed on the remote host is prior to 16.1.6 / 17.1.2.2 / 17.5.0. It is, therefore, affected by multiple vulnerabilities as referenced in the K000137093 advisory.

    CVE-2018-7167Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could     result in a Denial of Service. In order to address this vulnerability, the implementations of     Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in these cases.
    All versions of Node.js 6.x (LTS Boron), 8.x (LTS Carbon), and 9.x are vulnerable. All versions of     Node.js 10.x (Current) are NOT vulnerable.CVE-2018-12115In all versions of Node.js prior to 6.14.4, 8.11.4     and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`,     `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single     `Buffer`. Writes that start from the second-to-last position of a buffer cause a miscalculation of the     maximum length of the input bytes to be written.CVE-2018-12116Node.js: All versions prior to Node.js     6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided     Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a     second, unexpected, and user-defined HTTP request to made to the same server.

Tenable has extracted the preceding description block directly from the F5 Networks BIG-IP security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

F5 Networks BIG-IP : Node.js vulnerabilities (K000137093)

high Nessus Plugin ID 182423

Version 1.7