Lucene search

K
ibmIBMAF521F10DB79D363BE3259A18554FADB48432BA4A7A5605BF6704C136D545F04
HistoryMay 03, 2024 - 7:20 a.m.

Security Bulletin: OpenSSH vulnerability affects IBM WebSphere Adapter for FTP shipped with IBM Business Automation Workflow - CVE-2021-37533

2024-05-0307:20:44
www.ibm.com
4
ibm websphere adapter
ftp
apache commons-net
vulnerability
sensitive information
attack
affected versions
interim fix
cumulative fix
apar dt377899
ibm business automation workflow
ibm integration designer
software support lifecycle addendum

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

9.2 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.3%

Summary

IBM WebSphere Adapter for FTP is shipped with IBM Business Automation Workflow bundles a vulnerable copy of Apache commons-net.

Vulnerability Details

CVEID:CVE-2021-37533
**DESCRIPTION:**Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s) Status
IBM Business Automation Workflow traditional V23.0.1 - V23.0.2
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.1
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3 affected
IBM Business Automation Workflow Enterprise Service Bus V23.0.1 - V23.0.2
V22.0.2 affected

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the Interim Fix (iFix) or Cumulative Fix (CF) containing APAR DT377899 as soon as practical.

Affected Product(s) Version(s) Remediation / Fix
IBM Business Automation Workflow traditional and IBM Business Automation Workflow Enterprise Service Bus V23.0.2 Apply DT377899
IBM Business Automation Workflow traditional V21.0.3.1 Apply DT377899
IBM Business Automation Workflow traditional

V23.0.1
V22.0.1 - V22.0.2
V21.0.1 - V21.0.3.0
V20.0.0.1 - V20.0.0.2
V19.0.0.1 - V19.0.0.3
V18.0.0.1 - V18.0.0.3

| Upgrade to a long term support release or the latest SSCD version. See IBM Business Automation Workflow and IBM Integration Designer Software Support Lifecycle Addendum

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmbusiness_automation_workflowMatch22.0.2
OR
ibmbusiness_automation_workflowMatch23.0.1
OR
ibmbusiness_automation_workflowMatch23.0.2
OR
ibmbusiness_automation_workflowMatch18.0.0.0
OR
ibmbusiness_automation_workflowMatch18.0.0.1
OR
ibmbusiness_automation_workflowMatch18.0.0.2
OR
ibmbusiness_automation_workflowMatch19.0.0.1
OR
ibmbusiness_automation_workflowMatch19.0.0.2
OR
ibmbusiness_automation_workflowMatch19.0.0.3
OR
ibmbusiness_automation_workflowMatch20.0.0.1
OR
ibmbusiness_automation_workflowMatch20.0.0.2
OR
ibmbusiness_automation_workflowMatch21.0.2
OR
ibmbusiness_automation_workflowMatch21.0.3
OR
ibmbusiness_automation_workflowMatch22.0.1
OR
ibmbusiness_automation_workflowMatch22.0.2
OR
ibmbusiness_automation_workflowMatch23.0.1
OR
ibmbusiness_automation_workflowMatch23.0.2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

9.2 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.3%