Lucene search

K
ibmIBM989C1D438780A4A9BE58BFAFBD0206327799DA296D6A38C66DFC8C896986E544
HistoryMar 28, 2022 - 4:18 p.m.

Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise v11 & v12 (CVE-2021-3711)

2022-03-2816:18:14
www.ibm.com
12

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.9%

Summary

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprsie. The DataDirect ODBC Drivers & Nodejs used by IBM App Connect Enterprise and IBM Integration Bus have addressed the applicable CVEs

Vulnerability Details

CVEID:CVE-2021-3711
**DESCRIPTION:**OpenSSL is vulnerable to a buffer overflow, caused by improper bounds checking by the EVP_PKEY_decrypt() function within implementation of the SM2 decryption. By sending specially crafted SM2 content, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208072 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.25

IBM App Connect Enterprise V11 , V11.0.0.0 - V11.0.0.15

IBM App connect Enterprise V12.0.1.0 - V12.0.2.0

Remediation/Fixes

_1. IT38663 addresses the DataDirect ODBC driver which is affected by CVE-2021-3711
_

2_. IT38613 addresses the version of node js which is affected by CVE-2021-3711
_

Product

|

VRMF

| APAR|

Remediation / Fix

—|—|—|—
IBM App Connect Enterprise V12| V12.0.1.0 - V12.0.2.0| _IT38663
_|

Interim fix for APAR (IT38663) for 12.0.2.0 is available from IBM Fix Central

IBM App Connect Enterprise V12| V12.0.1.0| _IT38613
_|

The APAR (IT38613) is available in fix pack 12.0.2.0

IBM App Connect Enterprise Version V12-Fix Pack 12.0.2.0

IBM App Connect Enterprise v11| V11.0.0.0-V11.0.0.15| IT38663|

Interim fix for APAR (IT38663) for 11.0.0.15 is available from IBM Fix Central

Interim fix for APAR (IT38663) for 11.0.0.14 is available from IBM Fix Central

IBM App Connect Enterprise v11| V11.0.0.0-V11.0.0.14| IT38613|

The APAR (IT38613) is available in fix pack 11.0.0.15

IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.15

IBM Integration Bus | V10.0.0.0 - V10.0.0.24| _ IT38663_|

Interim fix for APAR (IT38663) for 10.0.0.24 is available from

IBM Fix Central

IBM Integration Bus | V10.0.0.0 - V10.0.0.25| IT38613|

See section Workarounds and Mitigations

Workarounds and Mitigations

For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.25 users can disable node js. Refer to
Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.068 Low

EPSS

Percentile

93.9%