IBM888DE110E5088971E9B74A6326841FD8190EABCE6D1C9F48C922F07C5848B41ESecurity Bulletin: Operations Dashboard is vulnerable to Elasticsearch Go vulnerabilities (CVE-2021-22144 & CVE-2021-22145)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.345 Low
EPSS
Percentile
96.5%
Summary
Operations Dashboard is vulnerable to Elasticsearch vulnerabilities (CVE-2021-22144 & CVE-2021-22145) with details of each below
Vulnerability Details
CVEID:CVE-2021-22144
**DESCRIPTION:**Elasticsearch is vulnerable to a denial of service, caused by an uncontrolled recursion vulnerability in the Elasticsearch Grok parser. By creating a specially crafted Grok query, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206321 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-22145
**DESCRIPTION:**Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the error reporting feature. By sending a specially-crafted query, an attacker could exploit this vulnerability to obtain sensitive information from a data buffer, and use this information to launch further attacks against the affected system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206021 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Operations Dashboard | 2020.4.1-0-eus |
| 2020.4.1-1-eus | |
| 2020.4.1-2-eus | |
| 2021.1.1 | |
| 2021.2.1 |
Remediation/Fixes
Operations Dashboard version 2020.4.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2020.4.1-3-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-operations-dashboard>
Operations Dashboard version 2021.1.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2021.3.1 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.3?topic=runtimes-upgrading-integration-tracing>
Operations Dashboard version 2021.2.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2021.3.1 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.3?topic=runtimes-upgrading-integration-tracing>
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| operations dashboard | ge | 2020.4.1 | |
| operations dashboard | le | 0 |
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.345 Low
EPSS
Percentile
96.5%