IBM0AB88FA1BA9F4B3BD14275985B23E53577C278963878E2CBA53AD9C0D4A67860Security Bulletin: IBM Sterling B2B Integrator vulnerable due to Eclipse Jetty
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.476 Medium
EPSS
Percentile
97.4%
Summary
IBM Sterilng B2B Integrator has addressed multiple security vulnerabilities in Eclipse Jetty.
Vulnerability Details
CVEID:CVE-2021-34428
**DESCRIPTION:**Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an exception is thrown from the SessionListener#sessionDestroyed() method. By gaining access to the application on the shared computer, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 3.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204227 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
CVEID:CVE-2021-28169
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/203492 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2021-34429
**DESCRIPTION:**Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by improper access control. By sending a specially-crafted URI, an attacker could exploit this vulnerability to obtain the content of the WEB-INF directory, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Sterling B2B Integrator | 6.0.0.0 - 6.0.3.6 |
| IBM Sterling B2B Integrator | 6.1.0.0 - 6.1.0.5, 6…1.1.0 - 6.1.1.1 |
Remediation/Fixes
| Product | Version | APAR | Remediation & Fix |
|---|---|---|---|
| IBM Sterling B2B Integrator | 6.0.0.0 - 6.0.3.6 | IT38890 | Apply 6.0.3.7, 6.1.0.6, 6.1.1.2 or 6.1.2.0 |
| IBM Sterling B2B Integrator |
6.1.0.0 - 6.1.0.5
6.1.1.0 - 6.1.1.1
|
IT38890
| Apply 6.1.0.6, 6.1.1.2 or 6.1.2.0
The version 6.0.3.7 , 6.1.0.6 and 6.1.1.2 are available on Fix Central. The IIM version of 6.1.2.0 is available in IBM Passport Advantage. The container version of 6.1.2.0 is available in IBM Entitled Registry with following tags.
cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0 for IBM Sterling B2B Integrator
cp.icr.io/cp/ibm-sfg/sfg:6.1.2.0 for IBM Sterling File Gateway
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm sterling b2b integrator | eq | 6.0.0.0 | |
| ibm sterling b2b integrator | eq | 6.1.2.0 |
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.476 Medium
EPSS
Percentile
97.4%