Security Bulletin: API Connect is affected by a vulnerability by which an authenticated user could generate an API token

Summary

API Connect has addressed the following vulnerability.

An authenticated user could be allowed to generate an API token when not subscribed to the application plan.

Vulnerability Details

CVEID:CVE-2017-1555**
DESCRIPTION: *IBM API Connect could allow an authenticated user to generate an API token when not subscribed to the application plan.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/131545 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected API Connect

|

Affected Versions

—|—
IBM API Connect| 5.0.0.0-5.0.6.3
IBM API Connect| 5.0.7.0-5.0.7.2

Remediation/Fixes

Affected Product

|

Addressed in VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
IBM API Connect

5.0.0.0-5.0.6.3| 5.0.6.4| LI79761 | Addressed in IBM API Connect V5.0.6.4.

Follow this link and find the “APIConnect_Management” package:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.6.3&platform=All&function=all
IBM API Connect

5.0.7.0-5.0.7.2| A future 5.0.7.2 iFix

5.0.8.0| LI79761 | Addressed in a future 5.0.7.2 iFix and IBM API Connect V5.0.8.0.

Follow this link and find the “APIConnect_Management” package:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.7.0&platform=All&function=all