Security Bulletin: IBM Integration Bus for z/OS is vulnerable to a remote attack due to Apache Maven (CVE-2021-26291)

Summary

UPDATE 21 AUGUST 2024: This fix has been updated. Please download and install the fix dated 21 August 2024. The IBM Integration Bus for z/OS toolkit is vulnerable to a remote attack due to Apache Maven. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2021-26291
**DESCRIPTION:**Apache Maven could allow a remote attacker to bypass security restrictions, caused by the use of http (non-SSL) repository references by default. By sending a specially-crafted request, an attacker could exploit this vulnerability to take over the repository or to insert themselves into a position to pretend to be that repository.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/200608 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

**IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus for z/OS **

Affected Product(s)

|

Version(s)

| APAR|

Remediation / Fixes

—|—|—|—
IBM Integration Bus for z/OS| 10.1 - 10.1.0.4| PH62455|

This fix has been updated. Please download and install fix dated 24 August 2024. Interim fix for APAR (PH62455) is available to apply to 10.1.0.4 from

IBM Fix Central

Workarounds and Mitigations

None