Lucene search

IBM4ACD8BE64D628F5063D27962E9A444EF604873B14AA53C231F04386FA7D041FB

HistoryJan 04, 2023 - 6:11 a.m.

Security Bulletin: IBM Sterling Global Mailbox vulnerable to security bypass due to Apache Zookeeper (CVE-2020-10663)

2023-01-0406:11:50

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.9%

JSON

Summary

IBM Sterling Global Mailbox has addressed a security bypass issue in Apache Zookeeper.

Vulnerability Details

CVEID:CVE-2020-10663
**DESCRIPTION:**RubyGems JSON gem for Ruby could allow a remote attacker to bypass security restrictions, caused by improper validation of input by the gem when parsing JSON documents. By parsing a specially-crafted JSON document, an attacker could exploit this vulnerability to create malicious object within the interpreter.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181414 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Global Mailbox	6.0, 6.1

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by Apache Zookeeper which is/are shipped with Global Mailbox.

Product

Version

Remediation

—|—|—

IBM Sterling Global Mailbox

6.0, 6.1

| Apply fix pack 6.1.2.1

Fix Central

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-B2Bi-All+&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-SFG-All+&includeSupersedes=0

Certified Container

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.2.1

Certified Container Image: cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1
Helm Chart: <https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.1.tgz>

IBM Sterling File Gateway V6.1.2.1

Certified Container Image: cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1
Helm Chart: <https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.1.1.tgz>

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm global high availability mailboxeq6.1.2

CPE	Name	Operator	Version
	ibm global high availability mailbox	eq	6.1.2

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.006 Low

EPSS

Percentile

78.9%

JSON

Related for 4ACD8BE64D628F5063D27962E9A444EF604873B14AA53C231F04386FA7D041FB