Lucene search

IBM806A51F36DDEC6446AE5D12A6CD7EE4C093B1608DF2BD5F5843FFE40CE0D393E

HistoryApr 10, 2024 - 8:56 p.m.

Security Bulletin: IBM Sterling B2B Integrator vulnerable to security bypass due to Apache Santuario XML Security for Java (CVE-2021-40690)

2024-04-1020:56:51

www.ibm.com

ibm sterling b2b integrator

security bypass

apache santuario xml security

cve-2021-40690

vulnerabilities

remediation

fixes

iim versions

container version

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

40.3%

JSON

Summary

IBM Sterling B2B Integrator uses Apache Santuario XML Security for Java. This bulletin identifies the steps to take to address the vulnerabilities.

Vulnerability Details

CVEID:CVE-2021-40690
**DESCRIPTION:**Apache Santuario XML Security for Java could allow a remote attacker to bypass security restrictions, caused by the improper passing of the “secureValidation” property when creating a KeyInfo from a KeyInfoReference element. An attacker could exploit this vulnerability to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/209586 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling B2B Integrator	6.0.0.0 - 6.0.3.9
IBM Sterling B2B Integrator	6.1.0.0 - 6.1.2.3
IBM Sterling B2B Integrator	6.2.0.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now.

Product	Version	Remediation & Fix
IBM Sterling B2B Integrator	6.0.0.0 - 6.0.3.9	Apply B2BI 6.1.2.5 or 6.2.0.1
IBM Sterling B2B Integrator	6.1.0.0 - 6.1.2.3	Apply B2BI 6.1.2.5 or 6.2.0.1
IBM Sterling B2B Integrator	6.2.0.0	Apply B2BI 6.2.0.1

The IIM versions of 6.1.2.5 and 6.2.0.1 are available on Fix Central.

The container version of 6.1.2.5 and 6.2.0.1 are available in IBM Entitled Registry.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm sterling b2b integratoreq6.0.0.0
ibm sterling b2b integratoreq6.2.0.1

CPE	Name	Operator	Version
	ibm sterling b2b integrator	eq	6.0.0.0
	ibm sterling b2b integrator	eq	6.2.0.1

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.9 Medium

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

40.3%

JSON

Related for 806A51F36DDEC6446AE5D12A6CD7EE4C093B1608DF2BD5F5843FFE40CE0D393E