Lucene search

K
ibmIBMEBFB2438D75E8F72CF1C93F67530A33FEEB6EBB40BD3883F85616AFE9252BCE2
HistoryMar 23, 2022 - 11:04 a.m.

Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX

2022-03-2311:04:44
www.ibm.com
199
powerha systemmirror
aix
lodash
cve-2021-23337
cve-2020-28500
vulnerability
node.js
denial of service
remediation

EPSS

0.009

Percentile

82.6%

Summary

Lodash versions prior to 4.17.21 caused vulnerability in PowerHA System Mirror for AIX releases in service.

Vulnerability Details

CVEID:CVE-2021-23337
**DESCRIPTION:**Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-28500
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
PowerHA SystemMirror

7.2.1 *

7.2.2 *

7.2.3

7.2.4

7.2.5

  • Versions out of support as on Dec-2021

Remediation/Fixes

The service packs of PowerHA 7.2.5 SP1, 7.2.4 SP4 & 7.2.3 SP6 are upgraded to latest version of lodash which remediates this vulnerability.

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/PowerHAClusterManager&release=7.2.5&platform=AIX&function=all

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/PowerHAClusterManager&release=7.2.4&platform=AIX&function=all

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/PowerHAClusterManager&release=7.2.3&platform=AIX&function=all

Workarounds and Mitigations

None

EPSS

0.009

Percentile

82.6%