Security Bulletin: IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors (CVE-2021-29906)

Summary

IBM App Connect Enterprise may include the hash of an IBM Cloud API key that is used by an Integration Server in the Pod definition of that Integration Server. This is only present if the Integration Server is configured to communicate with the cloud-based connectors in a cloud instance of IBM App Connect.

Vulnerability Details

CVEID:CVE-2021-29906
**DESCRIPTION:**IBM App Connect Enterprise Certified Container could disclose sensitive information to a local user when it is configured to use an IBM Cloud API key to connect to cloud-based connectors.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207630 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.1, 1.2, 1.3, 1.4 and 1.5

Upgrade to App Connect Enterprise Certified Container Operator version 2.0.0 (available in CASE 2.0.0) or higher, and ensure that all Designer components are at 12.0.1.0-r4 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.3 EUS (available in CASE 1.1.3) or higher, and ensure that all Designer components are at 11.0.0.13-r2-eus or higher.

Workarounds and Mitigations

The hash of the API key is only present if the Integration Server is configured to communicate with the cloud-based connectors in a cloud instance of IBM App Connect.