IBMFE0952C328022F7E88539E801342AFC03132BF9060AB11DA5AB172ACF0B2B21CSecurity Bulletin: IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.013 Low
EPSS
Percentile
84.5%
Summary
IBM Cloud Pak for Integration is vulnerable to multiple Node.js vulnerabilities with details below
Vulnerability Details
CVEID:CVE-2021-22931
**DESCRIPTION:**Node.js could provide weaker than expected security, caused by missing input validation on hostnames returned by DNS servers. An attacker could exploit this vulnerability to cause output of wrong hostnames leading to Domain Hijacking and and injection vulnerabilities in applications using the library.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207230 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L)
CVEID:CVE-2021-22939
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions. If the https API was used incorrectly and “undefined” was in passed for the “rejectUnauthorized” parameter, an attacker could exploit this vulnerability to connect to servers using an expired certificate.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207233 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2021-22940
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by an incomplete fix for CVE-2021-22930 related to a use-after-free on close http2 on stream canceling. An attacker could exploit this vulnerability to corrupt memory to change process behavior.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207520 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Platform Navigator in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 |
| 2021.1.1 | |
| 2021.2.1 | |
| Asset Repository in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 |
| 2021.1.1 | |
| 2021.2.1 |
Remediation/Fixes
Platform Navigator 2020.4.1 in****IBM Cloud Pak for Integration
Upgrade Platform Navigator 2020.4.1 to 2020.4.1-4-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=202041-upgrading-platform-navigator-component-deployment-interface>
Platform Navigator version 2021.1 or 2021.2 in IBM Cloud Pak for Integration
Upgrade Asset Repository to 2021.3.1 using the Operator upgrade process described in the IBM Documentation
**
Asset Repository version 2020.4.1 in IBM Cloud Pak for Integration**
Upgrade Asset Repository to 2020.4.1-3-eus using the Operator upgrade process described in the IBM Documentation
Asset Repository version 2021.1 or 2021.2 in IBM Cloud Pak for Integration
Upgrade Asset Repository to 2021.2.1-1 using the Operator upgrade process described in the IBM Documentation
Workarounds and Mitigations
None
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.013 Low
EPSS
Percentile
84.5%