Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by CVE-2021-23807

2022-01-0609:52:20

www.ibm.com

ibm app connect

enterprise certified container

cve-2021-23807

remote attacker

arbitrary code

denial of service

node.js

jsonpointer

prototype pollution

EPSS

0.17

Percentile

96.1%

JSON

Summary

IBM App Connect Enterprise Certified Container may be affected by a prototype polution vulnerability in jsonpointer due to CVE-2021-23807, that could allow a remote attacker to execute aritrary code or perform a denial of service attack

Vulnerability Details

CVEID:CVE-2021-23807
**DESCRIPTION:**Node.js jsonpointer module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the pointer components. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/212826 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	1.1-eus with Operator
App Connect Enterprise Certified Container	1.5 with Operator
App Connect Enterprise Certified Container	2.0 with Operator
App Connect Enterprise Certified Container	2.1 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container 1.5, 2.0 and 2.1 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 3.0.0 or higher, and ensure that all components are at 12.0.2.0-r2 or higher.

App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.5 EUS or higher, and ensure that all components are at 11.0.0.15-r1-eus or higher.