7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
OpenSSH is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to privilege escalation. This bulletin provides patch information to address the reported vulnerability CVE-2021-41617
CVEID:CVE-2021-41617
**DESCRIPTION:**OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by an error in sshd when certain non-default configurations are used. By executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser directive has been set to run the command as a non-root user, an attacker could exploit this vulnerability to gain privileges associated with group memberships of the sshd process.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/210062 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 1.1-eus with Operator |
App Connect Enterprise Certified Container | 3.0 with Operator |
App Connect Enterprise Certified Container | 3.1 with Operator |
App Connect Enterprise Certified Container | 4.0 with Operator |
App Connect Enterprise Certified Container | 4.1 with Operator |
App Connect Enterprise Certified Container 3.0, 3.1, 4.0 and 4.1 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 4.2.0 or higher, and ensure that all components are at 12.0.4.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)
Upgrade to App Connect Enterprise Certified Container Operator version 1.1.10 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 11.0.0.18-r1-eus or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_eus?topic=releases-upgrading-operator>
None
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P