Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431)

2023-04-2716:00:02

www.ibm.com

0.001 Low

EPSS

Percentile

39.0%

JSON

Summary

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) The fix includes Eclipse Mosquitto v2.0.15

Vulnerability Details

CVEID:CVE-2021-41039
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted CONNECT packets containing lots of “user properties”, a remote attacker could exploit this vulnerability to cause excessive CPU usage and loss of performance, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214367 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-34432
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by improper input validation. By sending a PUBLISH packet with zero value of length topic, a remote authenticated attacker could exploit this vulnerability to cause the server to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206468 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-34431
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by a memory leak flaw in the broker. By sending a specially-crafted CONNECT message, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.8.0
IBM App Connect Enterprise	11.0.0.0 - 11.0.0.20
IBM Integration Bus	10.1
IBM Integration Bus	10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise & IBM Integration Bus

Product(s)

Version(s)

APAR

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

v12.0.1.0 - v12.0.8.0

IT43353

Interim fix for APAR (IT43353) is available to apply to 12.0.8.0 from

IBM Fix Central

IBM App Connect Enterprise

v11.0.0.0 -v11.0.0.20

IT43353

Interim fix for APAR (IT43353) is available to apply to 11.0.0.20 from

IBM Fix Central

IBM Integration Bus

v10.1

IT43353

Interim fix for APAR (IT43353) is available to apply to 10.1 from

IBM Fix Central

IBM Integration Bus

v10.0.0.0 -v10.0.0.26

IT43353

Interim fix for APAR (IT43353) is available to apply to 10.0.0.26 from

IBM Fix Central

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.8.0
ibm app connect enterprisege11.0.0.0
ibm app connect enterprisele11.0.0.20
ibm integration buseq10.1
ibm integration busge10.0.0.0
ibm integration busle10.0.0.26

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.8.0
ibm app connect enterprise	ge	11.0.0.0
ibm app connect enterprise	le	11.0.0.20
ibm integration bus	eq	10.1
ibm integration bus	ge	10.0.0.0
ibm integration bus	le	10.0.0.26