Lucene search

IBMC05974882DC2013D181B695C0D1229AF152779253F30FE6D3986D16851D873CE

HistoryOct 20, 2021 - 10:09 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to bypassing of access control based on IP addresses due to CVE-2021-29923

2021-10-2010:09:43

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

52.9%

JSON

Summary

IBM App Connect Enterprise Certified Container Integration Servers may be vulnerable to bypassing of access control based on IP addresses due to CVE-2021-29923

Vulnerability Details

CVEID:CVE-2021-29923
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by improper consideration for extraneous zero characters at the beginning of an IP address octet. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access control based on IP addresses.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207025 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	1.0 with Operator
App Connect Enterprise Certified Container	1.1 with Operator
App Connect Enterprise Certified Container	1.2 with Operator
App Connect Enterprise Certified Container	1.3 with Operator
App Connect Enterprise Certified Container	1.4 with Operator
App Connect Enterprise Certified Container	1.5 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container 1.0, 1.1, 1.2, 1.3, 1.4 and 1.5

Upgrade to App Connect Enterprise Certified Container Operator version 2.0.0 (available in CASE 2.0.0) or higher, and ensure that all components are at 12.0.1.0-r4 or higher.

App Connect Enterprise Certified Container 1.1 LTS

Upgrade to App Connect Enterprise Certified Container Operator version 1.1.4 EUS (available in CASE 1.1.4) or higher, and ensure that all components are at 11.0.0.14-r1-eus or higher.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm app connect enterpriseeq1.0.0
ibm app connect enterpriseeq1.0.1
ibm app connect enterpriseeq1.0.2
ibm app connect enterpriseeq1.0.3
ibm app connect enterpriseeq1.0.4
ibm app connect enterpriseeq1.0.5
ibm app connect enterpriseeq1.1
ibm app connect enterpriseeq1.2
ibm app connect enterpriseeq1.3
ibm app connect enterpriseeq1.4

Name	Operator	Version
ibm app connect enterprise	eq	1.0.0
ibm app connect enterprise	eq	1.0.1
ibm app connect enterprise	eq	1.0.2
ibm app connect enterprise	eq	1.0.3
ibm app connect enterprise	eq	1.0.4
ibm app connect enterprise	eq	1.0.5
ibm app connect enterprise	eq	1.1
ibm app connect enterprise	eq	1.2
ibm app connect enterprise	eq	1.3
ibm app connect enterprise	eq	1.4