Security Bulletin: Vulnerabilities in the Java JDK affect IBM Event Streams (CVE-2021-35550, CVE-2021-35603)

Summary

There are a number of vulnerabilities in the Java JDK used by IBM Event Streams.

Vulnerability Details

CVEID:CVE-2021-35550
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211627 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2021-35603
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JSSE component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211676 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

BM Event Streams (Continuous Delivery)

|

10.0.0, 10.1.0, 10.2.0, 10.3.0, 10.3.1, 10.4.0

IBM Event Streams (Extended Update Support)

|

10.2.0-eus, 10.2.1-eus (2.2.1, 2.2.2, 2.2.3)

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading

IBM Event Streams (Continuous Delivery)

• Upgrade to IBM Event Streams 10.5.0 by following the upgrading and migrating documentation.

IBM Event Streams (Extended Update Support)

• Upgrade to IBM Event Streams 10.2.1-eus (2.2.4) by following the upgrading and migrating documentation.

Workarounds and Mitigations

None