Lucene search

IBMDC0307C89ADC9BDECEC60787C47BEC8B9B8EE78D2B6C0A47849682B1DA27D02F

HistoryNov 29, 2021 - 11:06 a.m.

Security Bulletin: Multiple Vulnerabilities in WebSphere Application Server Liberty affect IBM Operations Analytics - Log Analysis (CVE-2021-35517, CVE-2021-36090)

2021-11-2911:06:24

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.024 Low

EPSS

Percentile

88.7%

JSON

Summary

There are multiple vulnerabilities in the Apache Commons Compress library that is used by WebSphere Application Server Liberty. This has been addressed.

Vulnerability Details

CVEID:CVE-2021-35517
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large amounts of memory. By persuading a victim to open a specially-crafted TAR archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ tar package.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205307 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-36090
**DESCRIPTION:**Apache Commons Compress is vulnerable to a denial of service, caused by an out-of-memory error when large amounts of memory are allocated. By reading a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition against services that use Compress’ zip package.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205310 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Log Analysis	1.3.5.3
Log Analysis	1.3.6.0
Log Analysis	1.3.6.1
Log Analysis	1.3.7.0
Log Analysis	1.3.7.1

Remediation/Fixes

Principal Product and Version(s)	Fix details
IBM Operations Analytics - Log Analysis version 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0 and 1.3.7.1	1. For Log Analysis 1.3.5.3 to 1.3.7.0, upgrade the liberty version to WebSphere Application Server Liberty 21.0.0.6 (use wlp-core-all-21.0.0.6.jar) by following these steps.
2. Apply interim fix (use 21006-wlp-archive-IFPH39418) for the vulnerabilities using this step.

Ref.: Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect WebSphere Application Server Liberty (CVE-2021-35517, CVE-2021-36090)

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm smartcloud analyticseq1.3.5.3
ibm smartcloud analyticseq1.3.6.0
ibm smartcloud analyticseq1.3.6.1
ibm smartcloud analyticseq1.3.7.0
ibm smartcloud analyticseq1.3.7.1

Name	Operator	Version
ibm smartcloud analytics	eq	1.3.5.3
ibm smartcloud analytics	eq	1.3.6.0
ibm smartcloud analytics	eq	1.3.6.1
ibm smartcloud analytics	eq	1.3.7.0
ibm smartcloud analytics	eq	1.3.7.1