Lucene search

IBM0AD025BF3AE3D08B1A4F474D2A0C2CEA08DB4E0B31A299CC87A32EFE83C51190

HistoryAug 08, 2022 - 10:11 a.m.

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-43565

2022-08-0810:11:17

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

35.0%

JSON

Summary

Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Go CVE-2021-43565 with details below

Vulnerability Details

CVEID:CVE-2021-43565
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an input validation flaw in golang.org/x/crypto’s readCipherPacket() function. By sending an empty plaintext packet to a program linked with golang.org/x/crypto/ssh, a remote attacker could exploit this vulnerability to cause a panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219761 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Cloud Integration Platform	All
Affected Product(s)	Version(s)
—	—
Platform Navigator in IBM Cloud Pak for Integration (CP4I)	2020.4.1
2021.1.1
2021.2.1
2021.3.1
2021.4.1
Automation Assets in IBM Cloud Pak for Integration (CP4I)	2020.4.1
2021.1.1
2021.2.1
2021.4.1

Remediation/Fixes

Platform Navigator 2020.4.1 in****IBM Cloud Pak for Integration

Upgrade Platform Navigator 2020.4.1 to 2020.4.1-6-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=202041-upgrading-platform-navigator-component-deployment-interface>

Platform Navigator version 2021.1, 2021.2, 2021.3, or 2021.4 in IBM Cloud Pak for Integration

Upgrade Platform Navigator to 2021.4.1-1 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.4?topic=upgrading-platform-navigator-cloud-pak-integration-instance>

Asset Repository version 2020.4.1 in IBM Cloud Pak for Integration**

Upgrade Asset Repository to 2020.4.1-7-eus using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-asset-repository>

Asset Repository version 2021.1, 2021.2, or 2021.4 in IBM Cloud Pak for Integration

Upgrade Asset Repository to 2022.2.1-0 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-automation-assets>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm cloud integration platformeqany

CPE	Name	Operator	Version
	ibm cloud integration platform	eq	any

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.001 Low

EPSS

Percentile

35.0%

JSON

Related for 0AD025BF3AE3D08B1A4F474D2A0C2CEA08DB4E0B31A299CC87A32EFE83C51190