Lucene search

K
ibmIBM792BF04E2C0539998A61ADA44EA13FB46E68BBCFCF00FFCC418128C037DF5CDD
HistoryMar 01, 2024 - 4:12 p.m.

Security Bulletin: nginx is vulnerable to CVE-2021-23017 used in IBM Maximo Application Suite - Edge Data Collector Component

2024-03-0116:12:25
www.ibm.com
94
ibm maximo application suite
edge data collector
nginx
vulnerability
cve-2021-23017
remote code execution
cvss 8.1
fixpack 8.11.2

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

7.1

Confidence

High

EPSS

0.316

Percentile

97.1%

Summary

IBM Maximo Application Suite - Edge Data Collector Component uses nginx which is vulnerable to CVE-2021-23017. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

**CVEID:**CVE-2021-23017 DESCRIPTION: NGINX could allow a remote attacker to execute arbitrary code on the system, caused by an off-by-one error in ngx_resolver_copy() while processing DNS responses. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202450 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Maximo Application Suite - Edge Data Collector 8.11.1

Remediation/Fixes

Affected Product(s) Fixpack Version(s)
IBM Maximo Application Suite -Edge Data Collecto 8.11.2 or latest (available from the Catalog under Update Available)

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmaximo_application_suiteMatch8.11
VendorProductVersionCPE
ibmmaximo_application_suite8.11cpe:2.3:a:ibm:maximo_application_suite:8.11:*:*:*:*:*:*:*

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

AI Score

7.1

Confidence

High

EPSS

0.316

Percentile

97.1%