Security Bulletin: IBM Sterling B2B Integrator B2B API vulnerable to multiple issues due to Apache Zookeeper (CVE-2019-0201, CVE-2021-21409)

Summary

IBM Sterling B2B Integrator has addressed the security vulnerabilities in Apache Zookeeper.

Vulnerability Details

CVEID:CVE-2019-0201
**DESCRIPTION:**Apache ZooKeeper could allow a remote attacker to obtain sensitive information, caused by the failure to check permissions by the getACL() command. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/161303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-21409
**DESCRIPTION:**Netty is vulnerable to request smuggling, caused by improper validation of request, caused by missing validation of content-length. By sending specially-crafted request, an attacker could exploit this vulnerability to poison a web-cache, perform an XSS attack, or obtain sensitive information from request.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199150 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

The version 6.0.3.7 , 6.1.0.5 and 6.1.1.1 are available on Fix Central. The IIM version of 6.1.2.0 is available in IBM Passport Advantage. The container version of 6.1.2.0 is available in IBM Entitled Registry with following tags.

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.0 for IBM Sterling B2B Integrator
cp.icr.io/cp/ibm-sfg/sfg:6.1.2.0 for IBM Sterling File Gateway

Workarounds and Mitigations

None