Lucene search

IBMC5827FE00093EFBB56E016BF3054978F4808386F6CFF6504E6F72F7B02C56320

HistoryOct 14, 2021 - 1:12 p.m.

Security Bulletin: Apache Kafka Vulnerabilities Affect the B2B API of IBM Sterling B2B Integrator (CVE-2017-12610, CVE-2018-1288)

2021-10-1413:12:26

www.ibm.com

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

0.002 Low

EPSS

Percentile

55.3%

JSON

Summary

BM Sterling B2B Integrator has addressed the security vulnerabilities.

Vulnerability Details

CVEID:CVE-2017-12610
**DESCRIPTION:**Apache Kafka could allow a remote authenticated attacker to bypass security restrictions. By using a manually specially crafted protocol message with SASL/PLAIN or SASL/SCRAM authentication, an attacker could exploit this vulnerability to impersonate other users.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/147456 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2018-1288
**DESCRIPTION:**Apache Kafka could allow a remote authenticated attacker to bypass security restrictions. By using a manually created fetch request interfering with data replication, an attacker could exploit this vulnerability to perform action reserved for the Broker.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/147455 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	APAR(s)	Version(s)
IBM Sterling B2B Integrator	IT38515	6.0.0.0 - 6.0.3.4
IBM Sterling B2B Integrator	IT38515	6.1.0.0 - 6.1.0.2

Remediation/Fixes

Product & Version	Remediation & Fix
6.0.0.0 - 6.0.3.4	Apply IBM Sterling B2B Integrator version 6.0.3.5, 6.1.0.3 or 6.1.1.0 on Fix Central
6.1.0.0 - 6.1.0.2	Apply IBM Sterling B2B Integrator version 6.1.0.3 or 6.1.1.0 on Fix Central

Workarounds and Mitigations

None

CPENameOperatorVersion
sterling b2b integratoreq5.2.0.0
sterling b2b integratoreq6.1.1.0

CPE	Name	Operator	Version
	sterling b2b integrator	eq	5.2.0.0
	sterling b2b integrator	eq	6.1.1.0

6.8 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:P/A:P

0.002 Low

EPSS

Percentile

55.3%

JSON

Related for C5827FE00093EFBB56E016BF3054978F4808386F6CFF6504E6F72F7B02C56320