Security Bulletin: App Connect Enterprise Certified Container is vulnerable to CVE-2019-11324

2020-10-0109:55:20

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Summary

The App Connect Enterprise Certified Container Dashboard is vulnerable to CVE-2019-11324 through its use of CouchDB for storing flow data, where the Operator is installed in a Restricted Network cluster.

Vulnerability Details

CVEID:CVE-2019-11324
**DESCRIPTION:**urllib3 could allow a remote attacker to bypass security restrictions, caused by mishandling of certificates. By sending a specially-crafted certificate, an attacker could exploit this vulnerability to allow SSL connections.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159909 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	1.0.0 with Operator
App Connect Enterprise Certified Container	1.0.1 with Operator
App Connect Enterprise Certified Container	1.0.2 with Operator
App Connect Enterprise Certified Container	1.0.3 with Operator

Remediation/Fixes

Upgrade to App Connect Enterprise Certified Container to Operator version 1.0.4 as defined in CASE 1.0.5. This explicitly places a prerequisite on using CouchDB operator 1.2.1, which resolves CVE-2019-11324.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm app connect enterpriseeq1.0.0
ibm app connect enterpriseeq1.0.1
ibm app connect enterpriseeq1.0.2
ibm app connect enterpriseeq1.0.3