Security Bulletin: Vulnerability in Netty affects IBM Cloud Private (CVE-2021-21295)

Summary

There is a vulnerability in the Netty open source library. The library is used by IBM Cloud Private logging. This bulletin identifies the security fixes to apply to address the Netty vulnerability (CVE-2021-21295).

Vulnerability Details

CVEID:CVE-2021-21295
**DESCRIPTION:**Netty is vulnerable to HTTP request smuggling, caused by improper validation of Content-Length header by the Http2MultiplexHandler. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison a web-cache, perform an XSS attack, or obtain sensitive information from request.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197999 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by upgrading.

The recommended solution involves the IBM Cloud Private ibm-icplogging component. It is recommended that you follow the instructions for the component in the links listed below:

For IBM Cloud Private 3.1.1: IBM Cloud Private 3.1.1 Patch

For IBM Cloud Private 3.1.2: IBM Cloud Private 3.1.2 Patch

For IBM Cloud Private 3.2.0: IBM Cloud Private 3.2.0 Patch

For IBM Cloud Private 3.2.1: IBM Cloud Private 3.2.1 Patch

For IBM Cloud Private 3.2.2: IBM Cloud Private 3.2.2 Patch

For IBM Cloud Private 3.1.0:

• Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.2.

Workarounds and Mitigations

None