Security Bulletin: IBM API Connect is impacted by vulnerabilities in Docker (CVE-2021-21285, CVE-2021-21284)

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2021-21285
**DESCRIPTION:**Docker is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to pull a specially-crafted Docker image, a remote attacker could exploit this vulnerability to cause the dockerd daemon to crash, and results in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196049 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-21284
**DESCRIPTION:**Docker could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw when using the --userns-remap option. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges as root on the system.
CVSS Base score: 8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196047 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM API Connect

V2018.4.1.0-2018.4.1.13

| 2018.4.1.15|

LI82013

|

Addressed in IBM API Connect V2018.4.1.15.

Management server is impacted.

Follow this link and find the “management” package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.0-V10.0.1.1

| 10.0.1.2|

LI82013

|

Addressed in IBM API Connect V10.0.1.2

Management server is impacted.

Follow this link and find the “management” package.

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None