Operations Dashboard is vulnerable to Elasticsearch vulnerabilities (CVE-2021-22144 & CVE-2021-22145) with details of each below
CVEID:CVE-2021-22144
**DESCRIPTION:**Elasticsearch is vulnerable to a denial of service, caused by an uncontrolled recursion vulnerability in the Elasticsearch Grok parser. By creating a specially crafted Grok query, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206321 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-22145
**DESCRIPTION:**Elastic Elasticsearch could allow a remote authenticated attacker to obtain sensitive information, caused by an out-of-bounds read flaw in the error reporting feature. By sending a specially-crafted query, an attacker could exploit this vulnerability to obtain sensitive information from a data buffer, and use this information to launch further attacks against the affected system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206021 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
Operations Dashboard | 2020.4.1-0-eus |
2020.4.1-1-eus | |
2020.4.1-2-eus | |
2021.1.1 | |
2021.2.1 |
Operations Dashboard version 2020.4.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2020.4.1-3-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-operations-dashboard>
Operations Dashboard version 2021.1.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2021.3.1 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.3?topic=runtimes-upgrading-integration-tracing>
Operations Dashboard version 2021.2.1 in IBM Cloud Pak for Integration
Upgrade Operations Dashboard to 2021.3.1 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.3?topic=runtimes-upgrading-integration-tracing>
None