Security Bulletin: A security vulnerability in NGINX ffects IBM Cloud Automation Manager

Summary

A security vulnerability in NGINX ffects IBM Cloud Automation Manager.

Vulnerability Details

CVEID:CVE-2021-3618
**DESCRIPTION:**Sendmail, vsftpd and NGINX could provide weaker than expected security, caused by an ALPACA (application layer protocol content confusion) attack, which exploits TLS servers implementing different protocols but using compatible certificates. By using man-in the-middle attack techniques, a remote attacker with access to victim’s traffic at the TCP/IP layer could redirect traffic from one subdomain to another, resulting in a valid TLS session. The session breaks the authentication of TLS and the packages become vulnerable to cross-protocol attacks.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207761 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Download IBM Cloud Automation Manager 4.2.0.1 iFix 4 from http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-cam-3.2.1-build600699&includeSupersedes=0

Follow the instructions in Readme link in http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Cloud+Private&release=All&platform=All&function=fixId&fixids=icp-cam-3.2.1-build600699&includeSupersedes=0 to install the iFix 4 to your IBM Cloud Automation Manager 4.2.0.1.

Workarounds and Mitigations

None