—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2259
Security Bulletin: IBM Integration Bus and IBM App Connect
Enterprise v11 Vulnerabilities
29 June 2021
===========================================================================
AusCERT Security Bulletin Summary
———————————
Product: IBM Integration Bus
IBM App Connect Enterprise
Publisher: IBM
Operating System: Windows
AIX
Linux variants
Impact/Access: Denial of Service — Remote/Unauthenticated
Provide Misleading Information — Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-23840 CVE-2021-23839 CVE-2021-3450
CVE-2021-3449
Reference: ASB-2021.0122
ASB-2021.0074
ESB-2021.2232
ESB-2021.2228
ESB-2021.2160
Original Bulletin:
https://www.ibm.com/support/pages/node/6467639
https://www.ibm.com/support/pages/node/6466315
https://www.ibm.com/support/pages/node/6463979
Comment: This bulletin contains three (3) IBM security advisories.
– ————————–BEGIN INCLUDED TEXT——————–
IBM Integration Bus and IBM App Connect Enterprise v11 are affected by
vulnerabilities in Node.js (CVE-2021-3450, CVE-2021-3449)
Document Information
Document number : 6467639
Modified date : 28 June 2021
Product : IBM App Connect Enterprise
Component : –
Software version : –
Operating system(s): Linux
AIX
Windows
Summary
IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for
which vulnerabilities were reported and have been addressed. Vulnerability
details are listed below.
Vulnerability Details
CVEID: CVE-2021-3450
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security
restrictions, caused by a a missing check in the validation logic of X.509
certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid
certificate or certificate chain to sign a specially crafted certificate, an
attacker could bypass the check that non-CA certificates must not be able to
issue other certificates and override the default purpose.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198754 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)
CVEID: CVE-2021-3449
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference in signature_algorithms processing. By sending a specially
crafted renegotiation ClientHello message from a client, a remote attacker
could exploit this vulnerability to cause the TLS server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM Integration Bus V10.0.0 – V10.0.0.23
IBM App connect Enterprise V11 , V11.0.0.0 – V11.0.0.12
Remediation/Fixes
+————–+——————–+———-+—————————–+
| Product | VRMF |APAR | Remediation / Fix |
+————–+——————–+———-+—————————–+
| | | |The APAR is available in fix |
|IBM App | | |pack 11.0.0.13 |
|Connect |V11.0.0.0-V11.0.0.12|IT36322 |IBM App Connect Enterprise |
|Enterprise | | |Version V11-Fix Pack |
| | | |11.0.0.13 |
+————–+——————–+———-+—————————–+
|IBM |V10.0.0.0 – | |Interim fix for APAR IT36322 |
|Integration |V10.0.0.23 |IT36322 |is available from |
|Bus | | |IBM Fix Central |
+————–+——————–+———-+—————————–+
Workarounds and Mitigations
None
Change History
28 Jun 2021: Initial Publication
– ——————————————————————————–
Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprise v11 (CVE-2021-3449 , CVE-2021-3450)
Document Information
Document number : 6466315
Modified date : 28 June 2021
Product : IBM App Connect Enterprise
Software version : –
Operating system(s): Linux
Windows
AIX
Summary
Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprsie. The DataDirect ODBC Drivers used by IBM App Connect Enterprise and
IBM Integration Bus have addressed the applicable CVEs
Vulnerability Details
CVEID: CVE-2021-3449
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference in signature_algorithms processing. By sending a specially
crafted renegotiation ClientHello message from a client, a remote attacker
could exploit this vulnerability to cause the TLS server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-3450
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security
restrictions, caused by a a missing check in the validation logic of X.509
certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid
certificate or certificate chain to sign a specially crafted certificate, an
attacker could bypass the check that non-CA certificates must not be able to
issue other certificates and override the default purpose.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198754 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)
Affected Products and Versions
IBM Integration Bus V10.0.0 – V10.0.0.23
IBM App connect Enterprise V11 , V11.0.0.0 – V11.0.0.12
IBM App connect Enterprise V12.0.1.0
Remediation/Fixes
+————–+——————–+———-+—————————–+
| Product | VRMF |APAR | Remediation / Fix |
+————–+——————–+———-+—————————–+
| | | |The APAR is available in fix |
|IBM App | | |pack 11.0.0.13 |
|Connect |V11.0.0.0-V11.0.0.12|IT37078 |IBM App Connect Enterprise |
|Enterprise | | |Version V11-Fix Pack |
| | | |11.0.0.13 |
+————–+——————–+———-+—————————–+
|IBM App | | |Interim fix for APAR IT37078 |
|Connect |V12.0.1.0 |IT37078 |is available from |
|Enterprise | | |IBM Fix Central |
+————–+——————–+———-+—————————–+
|IBM |V10.0.0.0 – | |Interim fix for APAR IT37078 |
|Integration |V10.0.0.23 |IT37078 |is available from |
|Bus | | |IBM Fix Central |
+————–+——————–+———-+—————————–+
Workarounds and Mitigations
None
Acknowledgement
Change History
22 Jun 2021: Initial Publication
– ——————————————————————————–
Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprise v11 (CVE-2021-23839, CVE-2021-23840)
Document Information
Document number : 6463979
Modified date : 28 June 2021
Product : IBM App Connect Enterprise
Component : –
Software version : –
Operating system(s): Linux
Windows
AIX
Summary
Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprsie. The DataDirect ODBC Drivers used by IBM App Connect Enterprise and
IBM Integration Bus have addressed the applicable CVEs
Vulnerability Details
CVEID: CVE-2021-23839
DESCRIPTION: OpenSSL could provide weaker than expected security, caused by
incorrect SSLv2 rollback protection that allows for the inversion of the logic
during a padding check. If the server is configured for SSLv2 support at
compile time, configured for SSLv2 support at runtime or configured for SSLv2
ciphersuites, it will accept a connection if a version rollback attack has
occurred and erroneously reject a connection if a normal SSLv2 connection
attempt is made.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2021-23840
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an integer
overflow in CipherUpdate. By sending an overly long argument, an attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM Integration Bus V10.0.0 – V10.0.0.23
IBM App connect Enterprise V11 , V11.0.0.0 – V11.0.0.12
IBM App connect Enterprise V12
Remediation/Fixes
1. IT37078 addresses the DataDirect ODBC driver which is affected by
CVE-2021-23840
2 . IT36322 addresses the version of node js which is affected by
CVE-2021-23840 and CVE-2021-23839
+————–+——————–+———+——————————-+
| Product | VRMF |APAR | Remediation / Fix |
+————–+——————–+———+——————————-+
|IBM App | | |The APAR is available in fix |
|Connect |V11.0.0.0-V11.0.0.12|IT36322, |pack 11.0.0.13 |
|Enterprise | |IT37078 |IBM App Connect Enterprise |
| | | |Version V11-Fix Pack 11.0.0.13 |
+————–+——————–+———+——————————-+
| | | |Interim fix for APAR IT36322 is|
| | | |available from |
| | | |IBM Fix Central |
|IBM |V10.0.0.0 – |IT36322, | |
|Integration |V10.0.0.23 |IT37078 |Interim fix for APAR IT37078 is|
|Bus | | |available from |
| | | |IBM Fix Central |
| | | | |
| | | | |
+————–+——————–+———+——————————-+
|IBM App | | |Interim fix for APAR IT37078 is|
|Connect |V12.0.1.0 |IT37078 |available from |
|Enterprise | | | |
| | | |IBM Fix Central |
+————–+——————–+———+——————————-+
IBM Integration Bus V9 is no longer in full support; IBM recommends upgrading
to a fixed, supported version/release/platform of the product. If you are a
customer with extended support and require a fix, contact IBM support.
Workarounds and Mitigations
None
Acknowledgement
Change History
15 Jun 2021: Initial Publication
– ————————–END INCLUDED TEXT——————–
You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
—–BEGIN PGP SIGNATURE—–
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYNq27ONLKJtyKPYoAQhGaQ//Y/vQpcYj2GLxTMdWW/aHjgOX1QRlnFbm
qt+Ta1NJexjQgHqfJaZpxqMnWWooA2ohrvZe3YT9xXoXnJX5E4l3aIoU1n8/AIG0
CJfmtZtv7caUg0fP3Kvzp7Zn5owgeHCJDU19hIb2SpjXglS41EZQFdeoRpXOihVG
savsUjdxUjOPVHvZ4uI+YckLvFrFretVf9sfdDHi5Hmvv5DVOUhT14VE6Xo3Ukj+
idf6mmiH59lTrgjGg+AoZUHeTJekECKZIgPiCdleY4l0KCbmlmLoroCwUUYy6Y1T
72D8lZaTMA9SZrlwD7ewhV81PmhTbtuNCGpaqHijZpXL7KbyBUW15kxhrIvd8UhJ
an0ySljWyU7zXwEyuCHLFUkJGWQwG4GfG4Lc43lAkpH9NvZtHU4TAn8ppM2P8Ecl
Ja5tr84bFW2q/pF43oa0D87vriWjVwD78Av80LL5ogMMrz6zzffFIL3s9GjTnGv3
z3Plh3VI+XtJ0WRs5ZqeGToJbhHenxKMUW+J6z0C8z5u+sJ88ve9qBYzzpetPTax
m9i4HpIwSwELLvu3NFHyuGPFWanGlcx8Jly6ZL6dEk45rbSjiS5T/m0R3zRRoRGl
c+pOa5qffMtxDHQ79aXiq6WCawxoqky8CgZcsOyMtP41qzcojRbuPNbFNkcgQhiA
OBcjcuRuF7Y=
=fxle
—–END PGP SIGNATURE—–
The post ESB-2021.2259 – [Win][Linux][AIX] IBM: Multiple vulnerabilities appeared first on Malware Devil.
https://malwaredevil.com/2021/06/29/esb-2021-2259-winlinuxaix-ibm-multiple-vulnerabilities/?utm_source=rss&utm_medium=rss&utm_campaign=esb-2021-2259-winlinuxaix-ibm-multiple-vulnerabilities
No comments:
Post a Comment