Lucene search

K
ibmIBM51BBFE15032E896C106479B5FC1CE9A7106605BCFD9A8A8474AE133C2595571D
HistoryOct 20, 2021 - 10:08 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to denial of service due to CVE-2021-22918

2021-10-2010:08:20
www.ibm.com
23
ibm
app connect enterprise
container
vulnerability
denial of service
cve-2021-22918
node.js
upgrade
operator versions

EPSS

0.001

Percentile

46.5%

Summary

IBM App Connect Enterprise Certified Container may be vulnerable to denial of service due to CVE-2021-22918. This only affects Node.js runtime processes.

Vulnerability Details

CVEID:CVE-2021-22918
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an out-of-bounds read in the libuvโ€™s uv__idna_toascii() function. By invoking the function using dns moduleโ€™s lookup() function, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/204784 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 1.0 with Operator
App Connect Enterprise Certified Container 1.1 with Operator
App Connect Enterprise Certified Container 1.2 with Operator
App Connect Enterprise Certified Container 1.3 with Operator
App Connect Enterprise Certified Container 1.4 with Operator
App Connect Enterprise Certified Container 1.5 with Operator
App Connect Enterprise Certified Container 2.0 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.1, 1.2, 1.3, 1.4, 1.5 and 2.0

Upgrade to App Connect Enterprise Certified Container Operator version 2.1.0 (available in CASE 2.1.0) or higher, and ensure that all components are at 12.0.2.0-r1 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.4 EUS (available in CASE 1.1.4) or higher, and ensure that all components are at 11.0.0.14-r1-eus or higher.

Workarounds and Mitigations

None