Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to directory traversal due to CVE-2021-32803

Summary

IBM App Connect Enterprise Certified Container may be vulnerable to directory traversal due to CVE-2021-32803. This only affects Node.js runtime processes.

Vulnerability Details

CVEID:CVE-2021-32803
**DESCRIPTION:**Node.js tar module could allow a local attacker to traverse directories on the system, caused by insufficient symlink protection. An attacker could use a specially-crafted tar file containing “dot dot” sequences (/…/) to create or overwrite arbitrary files on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206717 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.1, 1.2, 1.3, 1.4, 1.5 and 2.0

Upgrade to App Connect Enterprise Certified Container Operator version 2.1.0 (available in CASE 2.1.0) or higher, and ensure that all components are at 12.0.2.0-r1 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.4 EUS (available in CASE 1.1.4) or higher, and ensure that all components are at 11.0.0.14-r1-eus or higher.

Workarounds and Mitigations

None