Lucene search

K
ibmIBM8173041F0A12BEA1DC4A9C461551DFB3E3B75A3D59886CD94D89D32CA67FEF14
HistoryApr 28, 2023 - 11:46 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use FTE nodes may be vulnerable to loss of confidentiality due to [CVE-2021-37533]

2023-04-2811:46:53
www.ibm.com
12

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.7%

Summary

Apache Commons Net is used by IBM App Connect Enterprise Certified Container in the FTE Nodes. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that use FTE nodes may be vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Apache Commons Net. [CVE-2021-37533]

Vulnerability Details

CVEID:CVE-2021-37533
**DESCRIPTION:**Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 4.1
App Connect Enterprise Certified Container 4.2
App Connect Enterprise Certified Container 5.0-lts
App Connect Enterprise Certified Container 5.1
App Connect Enterprise Certified Container 5.2
App Connect Enterprise Certified Container 6.0
App Connect Enterprise Certified Container 6.1
App Connect Enterprise Certified Container 6.2
App Connect Enterprise Certified Container 7.0
App Connect Enterprise Certified Container 7.1
App Connect Enterprise Certified Container 7.2
App Connect Enterprise Certified Container 8.0

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 8.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 8.1.0 or higher, and ensure that all IntegrationServer and IntegrationRuntime components are at 12.0.8.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.6 or higher, and ensure that all IntegrationServer components are at 12.0.8.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.004 Low

EPSS

Percentile

71.7%

Related for 8173041F0A12BEA1DC4A9C461551DFB3E3B75A3D59886CD94D89D32CA67FEF14