Lucene search

K
ibmIBM520187249DDD354387F0F65FEF449D823D900535C0E86584A9566F154EF56CA6
HistoryApr 27, 2023 - 4:00 p.m.

Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431)

2023-04-2716:00:02
www.ibm.com
9
ibm
app connect enterprise
integration bus
denial of service
eclipse mosquitto
cve-2021-41039
cve-2021-34432
cve-2021-34431
vulnerability
fix

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.6%

Summary

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) The fix includes Eclipse Mosquitto v2.0.15

Vulnerability Details

CVEID:CVE-2021-41039
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted CONNECT packets containing lots of “user properties”, a remote attacker could exploit this vulnerability to cause excessive CPU usage and loss of performance, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214367 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-34432
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by improper input validation. By sending a PUBLISH packet with zero value of length topic, a remote authenticated attacker could exploit this vulnerability to cause the server to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206468 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-34431
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by a memory leak flaw in the broker. By sending a specially-crafted CONNECT message, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM App Connect Enterprise 12.0.1.0 - 12.0.8.0
IBM App Connect Enterprise 11.0.0.0 - 11.0.0.20
IBM Integration Bus 10.1
IBM Integration Bus 10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise & IBM Integration Bus

Product(s)

|

Version(s)

|

APAR

|

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

|

v12.0.1.0 - v12.0.8.0

|

IT43353

|

Interim fix for APAR (IT43353) is available to apply to 12.0.8.0 from

IBM Fix Central

IBM App Connect Enterprise

|

v11.0.0.0 -v11.0.0.20

|

IT43353

|

Interim fix for APAR (IT43353) is available to apply to 11.0.0.20 from

IBM Fix Central

IBM Integration Bus

|

v10.1

|

IT43353

|

Interim fix for APAR (IT43353) is available to apply to 10.1 from

IBM Fix Central

IBM Integration Bus

|

v10.0.0.0 -v10.0.0.26

|

IT43353

|

Interim fix for APAR (IT43353) is available to apply to 10.0.0.26 from

IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapp_connect_enterpriseRange12.0.1.0
OR
ibmapp_connect_enterpriseRange12.0.8.0
OR
ibmapp_connect_enterpriseRange11.0.0.0
OR
ibmapp_connect_enterpriseRange11.0.0.20
OR
ibmintegration_busMatch10.1
OR
ibmintegration_busRange10.0.0.0
OR
ibmintegration_busRange10.0.0.26

CVSS2

5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

39.6%