Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a denial of service attack through a DNS lookup that returns a large number of responses (CVE-2020-8277)

Summary

An App Connect Enterprise flow could trigger a denial of service if made to resolve a DNS lookup for an endpoint that returns a large number of responses

Vulnerability Details

CVEID:CVE-2020-8277
**DESCRIPTION:**Node.js is vulnerable to a denial of service. By getting the application to resolve a DNS record with a larger number of responses, an attacker could exploit this vulnerability to trigger a DNS request for a host of their choice resulting in a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191755 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.0 and 1.2 CD

Upgrade to App Connect Enterprise Certified Container to Operator version 1.3.0 (available in CASE 1.3.0) or higher, and ensure that all components are at 11.0.0.11-r2 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.1 EUS (available in CASE 1.1.1) or higher, and ensure that all components are at 11.0.0.12-r1-eus or higher.

Workarounds and Mitigations

None