Security Bulletin: IBM Security Verify Information Queue uses a Wire Schema jar with multiple vulnerabilities (CVE-2020-27853, CVE-2021-41093)

Summary

The connect image in IBM Security Verify Information Queue (ISIQ) v10.0.2 uses an older version of the Wire Schema jar file that is vulnerable to remote attackers. ISIQ v10.0.3 upgraded its connect image to include a newer Wire Schema jar that remediates the vulnerabilities. (CVE-2020-27853, CVE-2021-41093)

Vulnerability Details

CVEID:CVE-2021-41093
**DESCRIPTION:**Wire App for iOS could allow a remote attacker to bypass security restrictions, caused by improper session management for the short lived token. By changing the email address, an attacker could exploit this vulnerability to takeover the user account.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-27853
**DESCRIPTION:**Wire could allow a remote attacker to execute arbitrary code on the system, caused by a format string vulnerability in sdp_media_set_lattr in peerflow/sdp.c. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190632 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM encourages customer to update their systems promptly.

Download and install the latest ISIQ images, tagged at 10.0.3 or greater, from the ISIQ Starter Kit page at <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

None