Security Bulletin: IBM API Connect is impacted by host header injection vulnerability (CVE-2021-38997)

Summary

IBM API Connect is impacted by host header injection vulnerability. The fix addresses the host header injection CVE-2021-38997.

Vulnerability Details

CVEID:CVE-2021-38997
**DESCRIPTION:**IBM API Connect is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213212 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM API Connect

V10.0.0.0 - V10.0.5.0

| V10.0.5.1|

Addressed in IBM API Connect V10.0.5.1

The management server component is impacted.

Follow this link and find the appropriate package.

<https://www.ibm.com/support/pages/node/6607906&gt;

IBM API Connect

V10.0.1.0 -V10.0.1.7

| V10.0.1.8|

Addressed in IBM API Connect V10.0.1.8

The management server component is impacted.

Follow this link and find the appropriate package.

<https://www.ibm.com/support/pages/node/6607673&gt;

IBM API Connect

V2018.4.1.0 - 2018.4.1.19

| V2018.4.1.20|

Addressed in IBM API Connect V2018.4.1.20

The management server component is impacted.

Follow this link and find the appropriate package.

<https://www.ibm.com/support/pages/node/6591073&gt;

Workarounds and Mitigations

None