Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by a ReDoS flaw when processing URLs (CVE-2021-33502)

Summary

App Connect Enterprise Certified Container may be vulnerable to a ReDoS (regular expression denial of service) flaw when processing URLs due to vulnerability CVE-2021-33502

Vulnerability Details

CVEID:CVE-2021-33502
**DESCRIPTION:**Node.js normalize-url module is vulnerable to a denial of service, caused by a ReDoS (regular expression denial of service) flaw in the data URLs. By using a specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202299 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.2 1.3 and 1.4 CD

Upgrade to App Connect Enterprise Certified Container Operator version 1.5.0 (available in CASE 1.5.0) or higher, and ensure that all components are at 12.0.1.0-r1 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.2 EUS (available in CASE 1.1.2) or higher, and ensure that all components are at 11.0.0.13-r1-eus or higher.

Workarounds and Mitigations

None