Lucene search

K
ibmIBM80A024CBEF0C8FE25E6C9DF09FE18B8F230334915EDDA5C83251822C740B6BC9
HistoryOct 01, 2020 - 9:55 a.m.

Security Bulletin: App Connect Enterprise Certified Container is vulnerable to CVE-2019-11324

2020-10-0109:55:20
www.ibm.com
26
security bulletin
vulnerability
app connect enterprise
certified container
cve-2019-11324
couchdb
operator
upgrade
restricted network cluster

EPSS

0.007

Percentile

80.3%

Summary

The App Connect Enterprise Certified Container Dashboard is vulnerable to CVE-2019-11324 through its use of CouchDB for storing flow data, where the Operator is installed in a Restricted Network cluster.

Vulnerability Details

CVEID:CVE-2019-11324
**DESCRIPTION:**urllib3 could allow a remote attacker to bypass security restrictions, caused by mishandling of certificates. By sending a specially-crafted certificate, an attacker could exploit this vulnerability to allow SSL connections.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159909 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 1.0.0 with Operator
App Connect Enterprise Certified Container 1.0.1 with Operator
App Connect Enterprise Certified Container 1.0.2 with Operator
App Connect Enterprise Certified Container 1.0.3 with Operator

Remediation/Fixes

Upgrade to App Connect Enterprise Certified Container to Operator version 1.0.4 as defined in CASE 1.0.5. This explicitly places a prerequisite on using CouchDB operator 1.2.1, which resolves CVE-2019-11324.

Workarounds and Mitigations

None