Lucene search

K
ibmIBMFE0952C328022F7E88539E801342AFC03132BF9060AB11DA5AB172ACF0B2B21C
HistoryOct 22, 2021 - 2:03 p.m.

Security Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities

2021-10-2214:03:57
www.ibm.com
11

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.1%

Summary

IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities with details below

Vulnerability Details

CVEID:CVE-2021-22931
**DESCRIPTION:**Node.js could provide weaker than expected security, caused by missing input validation on hostnames returned by DNS servers. An attacker could exploit this vulnerability to cause output of wrong hostnames leading to Domain Hijacking and and injection vulnerabilities in applications using the library.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207230 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)

CVEID:CVE-2021-22939
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and โ€œundefinedโ€ was in passed for the โ€œrejectUnauthorizedโ€ parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207233 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-22940
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for CVE-2021-22930 related to a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207520 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
Platform Navigator in IBM Cloud Pak for Integration (CP4I) 2020.4.1
2021.1.1
2021.2.1
Asset Repository in IBM Cloud Pak for Integration (CP4I) 2020.4.1
2021.1.1
2021.2.1

Remediation/Fixes

Platform Navigator 2020.4.1 in****IBM Cloud Pak for Integration

Upgrade Platform Navigator 2020.4.1 to 2020.4.1-4-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=202041-upgrading-platform-navigator-component-deployment-interface&gt;

Platform Navigator version 2021.1 or 2021.2 in IBM Cloud Pak for Integration

Upgrade Asset Repository to 2021.3.1 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.3?topic=upgrading-deployment-navigation-interface-platform-navigator&gt;

**

Asset Repository version 2020.4.1 in IBM Cloud Pak for Integration**

Upgrade Asset Repository to 2020.4.1-3-eus using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=components-upgrading-asset-repository&gt;

Asset Repository version 2021.1 or 2021.2 in IBM Cloud Pak for Integration

Upgrade Asset Repository to 2021.2.1-1 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2021.3?topic=runtimes-upgrading-automation-assets&gt;

Workarounds and Mitigations

None

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.015 Low

EPSS

Percentile

87.1%