Security Bulletin: Images built from IBM App Connect Enterprise Certified Containers may be vulnerable to arbitrary code execution due to CVE-2021-37712

Summary

The Node.js tar module is used by the package manager npm, which is included in the IBM App Connect Enterprise Certified Container images. Use of npm when building images based on IBM App Connect Enterprise Certified Container images may be vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability CVE-2021-37712 in the Node.js tar module.

Vulnerability Details

CVEID:CVE-2021-37712
**DESCRIPTION:**Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208450 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0 and 3.1 (Continuous Delivery)

When building an image based on the App Connect Enterprise Certified Container images, ensure that you use a base image of 12.0.3.0-r2 or higher.

App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)

When building an image based on the App Connect Enterprise Certified Container images, ensure that you use a base image of 11.0.0.16-r1-eus or higher.

Workarounds and Mitigations

None