IBM App Connect Enterprise Certified Container could allow a remote attacker to execute arbitrary code due to CVE-2021-33195. This affects the Operator itself and the ACE server image
CVEID:CVE-2021-33195
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 1.0 with Operator |
App Connect Enterprise Certified Container | 1.1 with Operator |
App Connect Enterprise Certified Container | 1.2 with Operator |
App Connect Enterprise Certified Container | 1.3 with Operator |
App Connect Enterprise Certified Container | 1.4 with Operator |
App Connect Enterprise Certified Container 1.0, 1.2, 1.3 and 1.4 CD
Upgrade to App Connect Enterprise Certified Container Operator version 1.5.0 (available in CASE 1.5.0) or higher, and ensure that all Integration Server components are at 12.0.1.0-r1 or higher.
App Connect Enterprise Certified Container 1.1 LTS
Upgrade to App Connect Enterprise Certified Container Operator version 1.1.2 EUS (available in CASE 1.1.2) or higher, and ensure that all Integration Server components are at 11.0.0.13-r1-eus or higher.
None