Security Bulletin: IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195

Summary

IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195. This affects the Operator itself and the ACE server image

Vulnerability Details

CVEID:CVE-2021-33195
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.2, 1.3 and 1.4 CD

Upgrade to App Connect Enterprise Certified Container Operator version 1.5.0 (available in CASE 1.5.0) or higher, and ensure that all Integration Server components are at 12.0.1.0-r1 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.2 EUS (available in CASE 1.1.2) or higher, and ensure that all Integration Server components are at 11.0.0.13-r1-eus or higher.

Workarounds and Mitigations

None