Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management

Summary

A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management.

Vulnerability Details

CVEID:CVE-2021-22902
**DESCRIPTION:**Ruby on Rails is vulnerable to a denial of service, caused by a use-after-free flaw in the in Action Dispatch. By sending specially-crafted Accept headers, a remote attacker could exploit this vulnerability to cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-22904
**DESCRIPTION:**Ruby on Rails is vulnerable to a denial of service, caused by a use-after-free flaw in the Token Authentication logic in Action Controller. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/201283 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Upgrade to IBM Cloud Pak for Multicloud Management 2.3 latest fixpack by following the instructions in <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=installation-upgrade&gt;.

Workarounds and Mitigations

None