Lucene search

IBM010EC971C8137CA217EFCF666EC9014A85C2FF0721F787178F2DAC34FF7F5576

HistoryNov 01, 2021 - 8:05 p.m.

Security Bulletin: IBM API Connect is impacted by a vulnerabilities in Node.js (CVE-2021-22884, CVE-2021-22883)

2021-11-0120:05:35

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.005 Low

EPSS

Percentile

72.6%

JSON

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2021-22884
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an error when the allowlist includes “localhost6”. By controlling the victim’s DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the “localhost6” domain and cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H)

CVEID:CVE-2021-22883
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an ‘unknownProtocol’, an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

API Connect	V10.0.1.0 - V10.0.1.4
API Connect	V2018.4.1.0-2018.4.1.15
API Connect	V10.0.2

Remediation/Fixes

Affected Product	Addressed in VRMF	APAR	Remediation/First Fix

IBM API Connect

V2018.4.1.0-2018.4.1.15

| 2018.4.1.16| LI82400 |

Addressed in IBM API Connect V2018.4.1.16.

Follow this link and find the appropriate package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.1.0-10.0.1.4

| 10.0.1.5|

LI82400

Addressed in IBM API Connect V10.0.1.5

Follow this link and find the appropriate package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

10.0.2

| 10.0.3|

LI82400

Addressed in IBM API Connect 10.0.3.

Follow this link and find the appropriate package.

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq2018
ibm api connecteq10

CPE	Name	Operator	Version
	ibm api connect	eq	2018
	ibm api connect	eq	10

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.005 Low

EPSS

Percentile

72.6%

JSON

Related for 010EC971C8137CA217EFCF666EC9014A85C2FF0721F787178F2DAC34FF7F5576