Lucene search

IBMEBFB2438D75E8F72CF1C93F67530A33FEEB6EBB40BD3883F85616AFE9252BCE2

HistoryMar 23, 2022 - 11:04 a.m.

Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX

2022-03-2311:04:44

www.ibm.com

180

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

78.2%

JSON

Summary

Lodash versions prior to 4.17.21 caused vulnerability in PowerHA System Mirror for AIX releases in service.

Vulnerability Details

CVEID:CVE-2021-23337
**DESCRIPTION:**Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a command injection flaw in the template. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196797 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-28500
**DESCRIPTION:**Node.js lodash module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) in the toNumber, trim and trimEnd functions. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196972 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
PowerHA SystemMirror

7.2.1 *

7.2.2 *

7.2.3

7.2.4

7.2.5

Versions out of support as on Dec-2021

Remediation/Fixes

The service packs of PowerHA 7.2.5 SP1, 7.2.4 SP4 & 7.2.3 SP6 are upgraded to latest version of lodash which remediates this vulnerability.

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/PowerHAClusterManager&release=7.2.5&platform=AIX&function=all

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/PowerHAClusterManager&release=7.2.4&platform=AIX&function=all

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Cluster%20software&product=ibm/Other+software/PowerHAClusterManager&release=7.2.3&platform=AIX&function=all

Workarounds and Mitigations

None

CPENameOperatorVersion
powerha systemmirroreq7.2.5
powerha systemmirroreq7.2.4
powerha systemmirroreq7.2.3

Name	Operator	Version
powerha systemmirror	eq	7.2.5
powerha systemmirror	eq	7.2.4
powerha systemmirror	eq	7.2.3

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.006 Low

EPSS

Percentile

78.2%

JSON

Related for EBFB2438D75E8F72CF1C93F67530A33FEEB6EBB40BD3883F85616AFE9252BCE2