Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Spring Framework (CVE-2021-22060)

Summary

IBM Sterilng B2B Integrator has addressed a security vulnerability in Spring Framework.

Vulnerability Details

CVEID:CVE-2021-22060
**DESCRIPTION:**VMware Tanzu Spring Framework could allow a remote authenticated attacker to bypass security restrictions, caused by improper input validation. By sending a specially-crafted request, an attacker could exploit this vulnerability to insert additional log entries.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217183 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

6.1.0.0 - 6.1.0.5

6.1.1.0 - 6.1.1.1

Remediation/Fixes

6.1.0.0 - 6.1.0.5

6.1.1.0 - 6.1.1.1

| IT41291| Apply 6.1.0.6, 6.1.1.2 or 6.1.2.0

The version 6.0.3.7, 6.1.0.6 and 6.1.1.2 are available on Fix Central. The IIM version of 6.1.2.0 is available in IBM Passport Advantage. The container version of 6.1.2.0 is available in IBM Entitled Registry with following tags.

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0 for IBM Sterling B2B Integrator
cp.icr.io/cp/ibm-sfg/sfg:6.1.2.0 for IBM Sterling File Gateway

Workarounds and Mitigations

None