Lucene search

K
ibmIBM2EF9066BA5F11D9986048F871CB871CE5CBCDF5603AD3266C94B320BA0759BAD
HistoryJun 22, 2022 - 10:25 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to privilege escalation due to CVE-2021-41617

2022-06-2210:25:08
www.ibm.com
27

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

Summary

OpenSSH is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to privilege escalation. This bulletin provides patch information to address the reported vulnerability CVE-2021-41617

Vulnerability Details

CVEID:CVE-2021-41617
**DESCRIPTION:**OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210062 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 1.1-eus with Operator
App Connect Enterprise Certified Container 3.0 with Operator
App Connect Enterprise Certified Container 3.1 with Operator
App Connect Enterprise Certified Container 4.0 with Operator
App Connect Enterprise Certified Container 4.1 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container 3.0, 3.1, 4.0 and 4.1 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 4.2.0 or higher, and ensure that all components are at 12.0.4.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.10 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 11.0.0.18-r1-eus or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_eus?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None

7 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

Related for 2EF9066BA5F11D9986048F871CB871CE5CBCDF5603AD3266C94B320BA0759BAD