Security Bulletin: API Connect is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832)

Summary Apache Log4j is used by API Connect as part of its logging and analytics infrastructure. The fix includes Apache Log4j 2.17.1 which addresses CVE-2021-45105, CVE-2021-45046 and CVE-2021-44832. Vulnerability Details CVEID: CVE-2021-45105 DESCRIPTION: Apache Log4j is vulnerable to a denial ...

Security Bulletin: IBM API Connect is impacted by multiple vulnerabilities in Java SE.

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-14779 DESCRIPTION: An unspecified vulnerability in Java SE related to the Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low...

Security Bulletin: IBM API Connect is vulnerable to web cache poisoning (CVE-2020-4828)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-4828 DESCRIPTION: IBM API Connect is vulnerable to web cache poisoning, caused by improper input validation by modifying HTTP request headers. CVSS Base score: 6.5 CVSS Temporal Score: See:...

Security Bulletin: IBM API Connect's Developer Portal is impacted by multiple vulnerabilities in Drupal core.

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-13669 DESCRIPTION: Drupal core is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the built-in CKEditor image caption functionality. A remote...

Security Bulletin: IBM API Connect is vulnerable to denial of service (DoS) via etcd (CVE-2020-15106 CVE-2020-15112 CVE-2020-15113)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-15106 DESCRIPTION: etcd is vulnerable to a denial of service, caused by improper data validation in the decodeRecord method. By sending a specially crafted data, a remote authenticated attacke...

Security Bulletin: IBM API Connect is vulnerable to arbitrary code execution and security bypass in Drupal (CVE-2020-13664, CVE-2020-13665)

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2020-13664 DESCRIPTION: Drupal core could allow a remote attacker to execute arbitrary code on the system, caused by code injection flaw. By persuading a victim to visit a specially-crafted web...

Security Bulletin: IBM API Connect's API Manager is vulnerable to privilege escalation(CVE-2020-4638)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-4638 DESCRIPTION: IBM API Connect's API Manager is vulnerable to privilege escalation. An invitee to an API Provider organization can escalate privileges by manipulating the invitation link...

Security Bulletin: IBM API Connect is vulnerable to cross-site request forgery (CSRF) (CVE-2020-13663)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-13663 DESCRIPTION: Drupal core is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the Form API. By persuading an authenticated user to visit a...

Security Bulletin: IBM API Connect is impacted by vulnerabilities in PHP (CVE-2020-7066, CVE-2020-7065, CVE-2020-7064)

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2020-7066 DESCRIPTION: PHP could allow a remote attacker to obtain sensitive information, caused by an issue when the getheaders silently truncates anything after a null byte in the URL it uses. ...

CVE-2020-4452

IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 181324...

Code injection

IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 181324...

CVE-2020-4452

IBM API Connect V2018.4.1.0 through 2018.4.1.11 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 181324...

CVE-2020-4452

CVE-2020-4452 affects IBM API Connect versions 2018.4.1.0–2018.4.1.11, where weak cryptographic algorithms could allow an attacker to decrypt highly sensitive information. Root cause: use of weaker-than-expected cryptography. Impact: disclosure of sensitive data. Remediation: IBM fixed in 2018.4....

Security Bulletin: IBM API Connect V2018 (ova) is vulnerable to denial of service (CVE-2020-8551, CVE-2020-8552)

Summary IBM API Connect has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2020-8551 DESCRIPTION: Kubernetes kubelet API is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted request, a remote attacker could exploit th...

CVE-2020-4195

CVE-2020-4195 affects IBM API Connect: API Connect V2018.4.1.0–2018.4.1.10 vulnerable to clickjacking via a malicious website, enabling a remote actor to hijack the user’s click actions. The IBM security bulletin confirms remediation in V2018.4.1.11 (addressed) and provides the upgrade path (2018...

Security Bulletin: IBM API Connect is vulnerable to clickjacking (CVE-2020-4195)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2020-4195 DESCRIPTION: IBM API Connect could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could explo...

Security Bulletin: IBM API Connect's Developer Portal is impacted by a denial of service vulnerability in MySQL (CVE-2019-2805)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-2805 DESCRIPTION: Vulnerability in the MySQL Server component of Oracle MySQL subcomponent: Server: Parser. Supported versions that are affected are 5.6.44 and prior, 5.7.26 and prior and 8.0....

Security Bulletin: API Connect is impacted by a vulnerability in PHP (CVE-2019-11043)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-11043 DESCRIPTION: In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocat...

Security Bulletin: IBM API Connect is impacted by a vulnerability in Kubernetes(CVE-2019-11253)

Summary IBM API Connect has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2019-11253 DESCRIPTION: Improper input validation in the Kubernetes API server in versions v1.0-1.12 and versions prior to v1.13.12, v1.14.8, v1.15.5, and v1.16.2 allows authorized users to send...