Lucene search

K
ibmIBMAE5AA8AF986095EBF498578352755FBDB8F1953CC9F85AD9EE0B19B59F85B224
HistoryNov 09, 2021 - 6:11 p.m.

Security Bulletin: A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services

2021-11-0918:11:48
www.ibm.com
22
node.js
tar module
ibm cloud pak
multicloud management
managed services
vulnerability
arbitrary code
execution
cve-2021-37712
ibm cloud pak for multicloud management infrastructure management
upgrade
fix pack

EPSS

0.001

Percentile

48.2%

Summary

A security vulnerability in Node.js tar module affects IBM Cloud Pak for Multicloud Management Managed Services.

Vulnerability Details

CVEID:CVE-2021-37712
**DESCRIPTION:**Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208450 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Cloud Pak for Multicloud Management Infrastructure Management All

Remediation/Fixes

Upgrade to IBM Cloud Pak for Multicloud Management 2.3.x Fix Pack 2 by following the instructions at <https://www.ibm.com/docs/en/cloud-paks/cp-management/2.3.x?topic=upgrade-upgrading-fix-pack-2.&gt;

Workarounds and Mitigations

None