Lucene search

K
ibmIBM25E389B8AC7393F53CD395DAA8343A4DAFD32AA0F027FAB25DDFA3D7B55FDFE6
HistoryJul 29, 2022 - 6:37 p.m.

Security Bulletin: IBM DataPower Gateway affected by vulnerability in Node (CVE-2021-44531)

2022-07-2918:37:20
www.ibm.com
18
ibm datapower gateway
vulnerability
cve-2021-44531
fix
node.js
security restrictions
uri subject alternative name
bypass
apic gateway service

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

65.3%

Summary

IBM has addressed the CVE below which may affect the APIC Gateway Service

Vulnerability Details

**CVEID:**CVE-2021-44531 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by the improper handling of URI Subject Alternative Name (SAN) types. An attacker could exploit this vulnerability to bypass name-constrained intermediates.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216930 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM DataPower Gateway V10CD 10.0.2.0 - 10.0.4.0
IBM DataPower Gateway 10.0.1 10.0.1.0 - 10.0.1.6
IBM DataPower Gateway 2018.4.1 All

Remediation/Fixes

Affected Products Fixed in version APAR
IBM DataPower Gateway V10CD 10.5.0.0, 10.0.4.0sr1 IT40394
IBM DataPower Gateway 10.0.1 10.0.1.7 IT40394
IBM DataPower Gateway 2018.4.1 10.0.1.7 IT40394
Customers using 2018.4.1 may obtain the fix by upgrading to 10.0.1.7 or later

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmdatapower_gatewayMatch2018.4.1
OR
ibmdatapower_gatewayMatch10.0.1
OR
ibmdatapower_gatewayMatch10
VendorProductVersionCPE
ibmdatapower_gateway2018.4.1cpe:2.3:a:ibm:datapower_gateway:2018.4.1:*:*:*:*:*:*:*
ibmdatapower_gateway10.0.1cpe:2.3:a:ibm:datapower_gateway:10.0.1:*:*:*:*:*:*:*
ibmdatapower_gateway10cpe:2.3:a:ibm:datapower_gateway:10:*:*:*:*:*:*:*

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

7.6

Confidence

High

EPSS

0.002

Percentile

65.3%