IBM App Connect Enterprise Certified Container DesignerAuthoring operands may be vulnerable to loss of confidentiality due to CVE-2021-4189
Summary
Python is included in the DesignerAuthoring component when Mapping Assist is enabled. The Python FTP module is vulnerable due to CVE-2021-4189. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability CVE-2021-4189.
Vulnerability Details
CVEID: CVE-2021-4189 DESCRIPTION: Python could allow a remote attacker to obtain sensitive information, caused by a flaw when using the FTP client library in PASV (passive) mode. By using a specially-crafted FTP server, an attacker could exploit this vulnerability to obtain service banner information from private network., and use this information to launch further attacks against the affected system. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/227269 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
Affected Product(s) Version(s) App Connect Enterprise Certified Container 1.1-eus with Operator App Connect Enterprise Certified Container 3.0 with Operator App Connect Enterprise Certified Container 3.1 with Operator App Connect Enterprise Certified Container 4.0 with Operator App Connect Enterprise Certified Container 4.1 with Operator […]
IBM App Connect Enterprise Certified Container operands may be vulnerable to arbitrary code execution due to CVE-2021-3634
Summary
libssh is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability CVE-2021-3634
Vulnerability Details
CVEID: CVE-2021-3634 DESCRIPTION: libssh is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By sending a specially-crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208281 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)
Affected Products and Versions
Affected Product(s) Version(s) App Connect Enterprise Certified Container 1.1-eus with Operator App Connect Enterprise Certified Container 3.0 with Operator App Connect Enterprise Certified Container 3.1 with Operator App Connect Enterprise Certified Container 4.0 with Operator App Connect Enterprise Certified Container 4.1 with Operator[…]
IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2018-25032
Summary
Zlib is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability CVE-2018-25032.
Vulnerability Details
CVEID: CVE-2018-25032 DESCRIPTION: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many distant matches, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222615 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
Affected Product(s) Version(s) App Connect Enterprise Certified Container 1.1-eus with Operator App Connect Enterprise Certified Container 3.0 with Operator App Connect Enterprise Certified Container 3.1 with Operator App Connect Enterprise Certified Container 4.0 with Operator App Connect Enterprise Certified Container 4.1 with Operator[…]
IBM App Connect Enterprise Certified Container operands may be vulnerable to privilege escalation due to CVE-2021-41617
Summary
OpenSSH is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to privilege escalation. This bulletin provides patch information to address the reported vulnerability CVE-2021-41617
Vulnerability Details
CVEID: CVE-2021-41617 DESCRIPTION: OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process. CVSS Base score: 7.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210062 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Affected Product(s) Version(s) App Connect Enterprise Certified Container 1.1-eus with Operator App Connect Enterprise Certified Container 3.0 with Operator App Connect Enterprise Certified Container 3.1 with Operator App Connect Enterprise Certified Container 4.0 with Operator App Connect Enterprise Certified Container 4.1 with Operator […]
When assessing vulnerability risks you need to include an Inside-Out approach. Infrared360 can help you mitigate inside-out IBM App Connecct vulnerabilities, and all your middleware inside-out vulnerabilities – while giving your middleware team smarter, easier, tools for optimizing performance and meeting SLAs. Check out the information below or our Infrared360 overview.