Security Bulletin: Multiple vulnerabilities affect IBM Sterling External Authentication Server

Summary

Multiple vulnerabilities affect IBM Sterling External Authentication Server. These vulnerabilities have been addressed in the latest iFix.

Vulnerability Details

CVEID:CVE-2021-33502
**DESCRIPTION:**Node.js normalize-url module is vulnerable to a denial of service, caused by a ReDoS (regular expression denial of service) flaw in the data URLs. By using a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202299 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-35720
**DESCRIPTION:**IBM Sterling External Authentication Server uses weaker than expected cryptographic algorithms during installation that could allow a local attacker to decrypt sensitive information.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231373 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

**IBM X-Force ID:**232247
**DESCRIPTION:**axios could allow a remote attacker to obtain sensitive information, caused by the leak of sensitive information in the cookie header. By persuading a victim to connect a specially-crafted Web site, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232247 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Workarounds and Mitigations

None