Security Bulletin: IBM Sterling Global Mailbox is vulnerable to security bypass due to Apache HttpClient (CVE-2020-13956)

Summary

Vulnerability in Apache HttpClient library shipped with IBM Sterling Global Mailbox has been addressed.

Vulnerability Details

CVEID:CVE-2020-13956
**DESCRIPTION:**Apache HttpClient could allow a remote attacker to bypass security restrictions, caused by the improper handling of malformed authority component in request URIs. By passing request URIs to the library as java.net.URI object, an attacker could exploit this vulnerability to pick the wrong target host for request execution.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189572 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by Jackson Databind which is shipped with Global Mailbox.

Product

|

Version

|

Fix / Remediation

—|—|—

IBM Sterling Global Mailbox

|

6.0.3.7

|

Apply 6.0.3.8

IBM Sterling Global Mailbox|

6.1.2.0

|

Apply 6.1.2.1

6.0.3.8 is now available on Fix Central -

B2Bi IIM
Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-All&source=SAR

B2Bi Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-Docker-All&source=SAR

SFG IIM

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-All&source=SAR

SFG Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-Docker-All&source=SAR

6.1.2.1 IIM & Certified Container is now available on Fix Central -

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-B2Bi-All+&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-SFG-All+&includeSupersedes=0

Certified Container

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.2.1

• Certified Container Image

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1

• Helm Chart

<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.1.tgz&gt;

IBM Sterling File Gateway V6.1.2.1

• Certified Container Image

cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1

• Helm Chart
  <https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.1.1.tgz&gt;

Workarounds and Mitigations

None