Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to a symlink attack due to CVE-2021-39134

Summary

IBM App Connect Enterprise Certified Container Integration Server images may be vulnerable to a symlink attack that could alter the files on disk due to vulnerabilities in the Node module npm. The npm module is not used at runtime by IBM App Connect Enterprise itself, but anyone using the certified containers as a base for their images may then have a version of npm that contains CVE-2021-39134

Vulnerability Details

CVEID:CVE-2021-39134
**DESCRIPTION:**Node.js @npmcli/arborist module could allow a local attacker to launch a symlink attack, caused by the failure of multiple dependencies to coexist within the same level in the node_modules hierarchy. A local attacker could exploit this vulnerability by creating a symbolic link from a temporary file to various files on the system, which could allow the attacker to create and overwrite arbitrary files on the system with elevated privileges.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208462 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.1 LTS

This only affects IntegrationServer components at version ​11.0.0.13-r2-eus. Upgrade to App Connect Enterprise Certified Container Operator version 1.1.4 EUS (available in CASE 1.1.4) or higher, and ensure that all IntegrationServers are at 11.0.0.13-r3-eus or higher.

Workarounds and Mitigations

None