Lucene search

K
ibmIBM4423BE4E284DB650A0676AFDAF1D1B6AFC17995BF28A6157404E07A4FB153B2A
HistoryFeb 22, 2022 - 2:31 p.m.

Security Bulletin: IBM Sterling Global Mailbox is vulnerable to denial of service due to CKeditor WYSIWYG editor (CVE-2021-26271, CVE-2021-26272)

2022-02-2214:31:15
www.ibm.com
5

0.002 Low

EPSS

Percentile

53.2%

Summary

CKeditor WYSIWYG editor is shipped with IBM Sterling Global Mailbox. Denial of service vulnerabilities impact CKeditor WYSIWYG editor. Remediation is available for the issues.

Vulnerability Details

CVEID:CVE-2021-26271
**DESCRIPTION:**CKEditor is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Advanced Tab for Dialogs plugin. By persuading a victim to paste specially-crafted text into the Styles input of specific dialogs, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195665 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-26272
**DESCRIPTION:**CKEditor is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the Autolink plugin. By persuading a victim to paste specially-crafted URL-like text, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195667 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Global Mailbox 6.1.x
IBM Sterling Global Mailbox 6.0.x

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by Apache CXF which is/are shipped with Global Mailbox.

Product(s)

|

Version(s)

|

**Instructions **

โ€”|โ€”|โ€”

IBM Sterling Global Mailbox

|

6.0.3.5

|

See B2Bi v6.0.3.5 section below

IBM Sterling Global Mailbox

|

6.1.0.3

| See B2Bi v6.1.0.3 section below

IBM Sterling Global Mailbox

|

6.1.1.0

| See B2Bi v6.1.1.0 section below

B2Bi v6.0.3.5 -

IIM

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.0.3.3&platform=All&function=fixId&fixids=6.0.3.5-OtherSoftware-B2Bi-All&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.0.3.3&platform=All&function=fixId&fixids=6.0.3.5-OtherSoftware-SFG-All&includeSupersedes=0

Docker

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.0.3.3&platform=All&function=fixId&fixids=6.0.3.5-OtherSoftware-B2Bi-Docker-All&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.0.3.3&platform=All&function=fixId&fixids=6.0.3.5-OtherSoftware-SFG-Docker-All&includeSupersedes=0

B2Bi v6.1.1.0 -

Documentation Link <https://www.ibm.com/docs/en/b2b-integrator/6.1.1&gt;

Whatโ€™s New in 6.1.1.0 <https://www.ibm.com/docs/en/b2b-integrator/6.1.1?topic=integrator-whats-new-in-6110&gt;

Note:-

  • 6.1.1.0 is an IIM only release.
  • 6.1.1.0 is available only on passport advantage.

B2Bi v6.1.0.3 -

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.0.2&platform=All&function=fixId&fixids=6.1.0.3-OtherSoftware-B2Bi-All&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.0.2&platform=All&function=fixId&fixids=6.1.0.3-OtherSoftware-SFG-All&includeSupersedes=0

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.0.3

  • Certified Container Image

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.3

  • Helm Chart

<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.0.3.tgz&gt;

IBM Sterling File Gateway V6.1.0.3

  • Certified Container Image

cp.icr.io/cp/ibm-sfg/sfg:6.1.0.3

  • Helm Chart

<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.0.3.tgz&gt;

Workarounds and Mitigations

None

0.002 Low

EPSS

Percentile

53.2%

Related for 4423BE4E284DB650A0676AFDAF1D1B6AFC17995BF28A6157404E07A4FB153B2A