Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by CVE-2021-23509

Summary

IBM App Connect Enterprise Certified Container may be affected by a prototype pollution flaw in the pointer parameter in json-ptr due to CVE-2021-23509

Vulnerability Details

CVEID:CVE-2021-23509
**DESCRIPTION:**Node.js json-ptr module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer parameter. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212823 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.4

Upgrade to App Connect Enterprise Certified Container Operator version 1.5.0 (available in CASE 1.5.0) or higher, and ensure that all components are at 12.0.1.0-r1 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.2 EUS (available in CASE 1.1.2) or higher, and ensure that all components are at 11.0.0.13-r1-eus or higher.

Workarounds and Mitigations

None