Security Bulletin: IBM Integration Bus is vulnerable to denial of service due to ansi-regex module (CVE-2021-3807)

Summary

IBM Integration Bus is vulnerable to a denial of service, due to the ansi-regex module for Node.js (CVE-2021-3807). This affects the version of Node.js which is shipped with IBM Integration Bus for which a mitigation has been recommended.

Vulnerability Details

CVEID:CVE-2021-3807
**DESCRIPTION:**Chalk ansi-regex module for Node.js is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209596 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Integration Bus

(Linux x86-64 and Windows x86-64 only

| 10.0.0.0 - 10.0.0.26

Remediation/Fixes

None

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below

For IBM Integration Bus v10 v10.0.0.24 -v10.0.0.26 users can disable Node.js.

Refer to
‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’