Security Bulletin: Vulnerability in lodash affects IBM VM Recovery Manager HA GUI

Summary

There is vulnerability in lodash which affects IBM VM Recovery Manager HA GUI

Vulnerability Details

CVEID:CVE-2020-28500
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-23337
**DESCRIPTION:**Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

Security fix is available at the following location:

<https://aix.software.ibm.com/aix/efixes/security/VMRMHA/&gt;

The security fix contains filesets which should be installed over IBM VM Recovery Manager HA GUI 1.5.0.1

Following command can be used to install these filesets:

installp -ac -FXYd. ksys.ui.agent ksys.ui.server ksys.ui.common

Workarounds and Mitigations

None