Security Bulletin: App Connect Enterprise Certified Container is vulnerable to an infinite read loop (CVE-2020-16845)

2020-09-2818:00:33

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

JSON

Summary

App Connect Enterprise Certified Container is vulnerable to an infinite read loop that would cause the Operator to become unresponsive.

Vulnerability Details

CVEID:CVE-2020-16845
**DESCRIPTION:**Go Language is vulnerable to a denial of service, caused by an infinite read loop in ReadUvarint and ReadVarint in encoding/binary. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186375 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	1.0.0 with Operator
App Connect Enterprise Certified Container	1.0.1 with Operator
App Connect Enterprise Certified Container	1.0.2 with Operator
App Connect Enterprise Certified Container	1.0.3 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container

Upgrade to App Connect Enterprise Certified Container to Operator version 1.0.4 (available in CASE 1.0.4).

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm app connect enterpriseeq1.0.0
ibm app connect enterpriseeq1.0.1
ibm app connect enterpriseeq1.0.2
ibm app connect enterpriseeq1.0.3