Security Bulletin: IBM MaaS360 Cloud Extender and Modules have various vulnerabilities (CVE-2021-22924, CVE-2021-3712)

Summary

A vulnerability contained within a 3rd party component was identified and remediated in the IBM MaaS360 Cloud Extender Agent (V2.106.100.008) and Modules.

Vulnerability Details

CVEID:CVE-2021-22924
**DESCRIPTION:**An unspecified error with bad connection reused due to improper path name validation in cURL libcurl has an unknown impact and attack vector.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206047 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2021-3712
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when processing ASN.1 strings. By sending specially crafted data, an attacker could exploit this vulnerability to read contents of memory on the system or perform a denial of service attack.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208073 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)

Affected Products and Versions

​

Remediation/Fixes

Update the IBM MaaS360 Cloud Extender to version 2.106.100.008 or greater. The Cloud Extender version 2.106.100.008 will be available on 22-November-2021

The latest Cloud Extender agent is available within the MaaS360 Administrator Portal. Instructions to upgrade the Agent is located on this IBM Documentation page. Instructions on how to upgrade the VPN Module is located on this IBM Documentation page.

Workarounds and Mitigations

None