Lucene search

IBM0B53E3200D5A713133384D9D4BDCA43744971BD77A6671BF60F2E13078EEFEB2

HistoryFeb 02, 2021 - 1:37 p.m.

Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113)

2021-02-0213:37:27

www.ibm.com

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2020-15106
**DESCRIPTION:**etcd is vulnerable to a denial of service, caused by improper data validation in the decodeRecord method. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause panic in decodeRecord method,
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186329 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-15112
**DESCRIPTION:**etcd is vulnerable to a denial of service, caused by a flaw in the ReadAll method in wal/wal.go. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause a runtime panic.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186328 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-15113
**DESCRIPTION:**etcd could allow a remote attacker to bypass security restrictions, caused by the lack of permission checks in the os.MkdirAll function when a given directory path exists already. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186327 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM API Connect	API Connect V10.0.1.0
IBM API Connect	V2018.4.1.0-2018.4.1.13

Remediation/Fixes

Affected Product	Addressed in VRMF	APAR	Remediation/First Fix

IBM API Connect

V2018.4.1.0-2018.4.1.13

| 2018.4.1.15|

LI81877

Addressed in IBM API Connect V2018.4.1.15.

All components are impacted.

Follow this link and find the packages.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.1.0

| 10.0.1.1|

LI81877

Addressed in IBM API Connect V10.0.1.1

All components are impacted.

Follow this link and find the packages.

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq2018.4.1.0
ibm api connecteq2018.4.1.13
ibm api connecteq10.0.0.0
ibm api connecteq10.0.1.0

Name	Operator	Version
ibm api connect	eq	2018.4.1.0
ibm api connect	eq	2018.4.1.13
ibm api connect	eq	10.0.0.0
ibm api connect	eq	10.0.1.0

7.1 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

JSON

Related for 0B53E3200D5A713133384D9D4BDCA43744971BD77A6671BF60F2E13078EEFEB2