-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                              ESB-2021.2259.2
        Security Bulletin: IBM Integration Bus and IBM App Connect
                      Enterprise v11 Vulnerabilities
                               30 June 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Integration Bus
                   IBM App Connect Enterprise
Publisher:         IBM
Operating System:  Windows
                   AIX
                   Linux variants
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-23840 CVE-2021-23839 CVE-2021-3450
                   CVE-2021-3449  

Reference:         ASB-2021.0122
                   ASB-2021.0074
                   ESB-2021.2232
                   ESB-2021.2228
                   ESB-2021.2160

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6467639
   https://www.ibm.com/support/pages/node/6466315
   https://www.ibm.com/support/pages/node/6463979

Comment: This bulletin contains three (3) IBM security advisories.

Revision History:  June 30 2021: Updated Product Tag
                   June 29 2021: Initial Release

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Integration Bus and IBM App Connect Enterprise v11 are affected by
vulnerabilities in Node.js  (CVE-2021-3450,  CVE-2021-3449)

Document Information

Document number    : 6467639
Modified date      : 28 June 2021
Product            : IBM App Connect Enterprise
Component          : -
Software version   : -
Operating system(s): Linux
                     AIX
                     Windows

Summary

IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for
which vulnerabilities were reported and have been addressed. Vulnerability
details are listed below.

Vulnerability Details

CVEID: CVE-2021-3450
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security
restrictions, caused by a a missing check in the validation logic of X.509
certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid
certificate or certificate chain to sign a specially crafted certificate, an
attacker could bypass the check that non-CA certificates must not be able to
issue other certificates and override the default purpose.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198754 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)

CVEID: CVE-2021-3449
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference in signature_algorithms processing. By sending a specially
crafted renegotiation ClientHello message from a client, a remote attacker
could exploit this vulnerability to cause the TLS server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.23

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12


Remediation/Fixes

+--------------+--------------------+----------+-----------------------------+
|   Product    |        VRMF        |APAR      |      Remediation / Fix      |
+--------------+--------------------+----------+-----------------------------+
|              |                    |          |The APAR is available in fix |
|IBM App       |                    |          |pack 11.0.0.13               |
|Connect       |V11.0.0.0-V11.0.0.12|IT36322   |IBM App Connect Enterprise   |
|Enterprise    |                    |          |Version V11-Fix Pack         |
|              |                    |          |11.0.0.13                    |
+--------------+--------------------+----------+-----------------------------+
|IBM           |V10.0.0.0 -         |          |Interim fix for APAR IT36322 |
|Integration   |V10.0.0.23          |IT36322   |is available from            |
|Bus           |                    |          |IBM Fix Central              |
+--------------+--------------------+----------+-----------------------------+

Workarounds and Mitigations

None

Change History

28 Jun 2021: Initial Publication

- --------------------------------------------------------------------------------

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprise v11 (CVE-2021-3449 , CVE-2021-3450)

Document Information

Document number    : 6466315
Modified date      : 28 June 2021
Product            : IBM App Connect Enterprise
Software version   : -
Operating system(s): Linux
                     Windows
                     AIX

Summary

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprsie. The DataDirect ODBC Drivers used by IBM App Connect Enterprise and
IBM Integration Bus have addressed the applicable CVEs

Vulnerability Details

CVEID: CVE-2021-3449
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a NULL
pointer dereference in signature_algorithms processing. By sending a specially
crafted renegotiation ClientHello message from a client, a remote attacker
could exploit this vulnerability to cause the TLS server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2021-3450
DESCRIPTION: OpenSSL could allow a remote attacker to bypass security
restrictions, caused by a a missing check in the validation logic of X.509
certificate chains by the X509_V_FLAG_X509_STRICT flag. By using any valid
certificate or certificate chain to sign a specially crafted certificate, an
attacker could bypass the check that non-CA certificates must not be able to
issue other certificates and override the default purpose.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198754 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.23

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12

IBM App connect Enterprise V12.0.1.0

Remediation/Fixes

+--------------+--------------------+----------+-----------------------------+
|   Product    |        VRMF        |APAR      |      Remediation / Fix      |
+--------------+--------------------+----------+-----------------------------+
|              |                    |          |The APAR is available in fix |
|IBM App       |                    |          |pack 11.0.0.13               |
|Connect       |V11.0.0.0-V11.0.0.12|IT37078   |IBM App Connect Enterprise   |
|Enterprise    |                    |          |Version V11-Fix Pack         |
|              |                    |          |11.0.0.13                    |
+--------------+--------------------+----------+-----------------------------+
|IBM App       |                    |          |Interim fix for APAR IT37078 |
|Connect       |V12.0.1.0           |IT37078   |is available from            |
|Enterprise    |                    |          |IBM Fix Central              |
+--------------+--------------------+----------+-----------------------------+
|IBM           |V10.0.0.0 -         |          |Interim fix for APAR IT37078 |
|Integration   |V10.0.0.23          |IT37078   |is available from            |
|Bus           |                    |          |IBM Fix Central              |
+--------------+--------------------+----------+-----------------------------+

Workarounds and Mitigations

None

Acknowledgement

Change History

22 Jun 2021: Initial Publication

- --------------------------------------------------------------------------------

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprise v11 (CVE-2021-23839, CVE-2021-23840)

Document Information

Document number    : 6463979
Modified date      : 28 June 2021
Product            : IBM App Connect Enterprise
Component          : -
Software version   : -
Operating system(s): Linux
                     Windows
                     AIX

Summary

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect
Enterprsie. The DataDirect ODBC Drivers used by IBM App Connect Enterprise and
IBM Integration Bus have addressed the applicable CVEs

Vulnerability Details

CVEID: CVE-2021-23839
DESCRIPTION: OpenSSL could provide weaker than expected security, caused by
incorrect SSLv2 rollback protection that allows for the inversion of the logic
during a padding check. If the server is configured for SSLv2 support at
compile time, configured for SSLv2 support at runtime or configured for SSLv2
ciphersuites, it will accept a connection if a version rollback attack has
occurred and erroneously reject a connection if a normal SSLv2 connection
attempt is made.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2021-23840
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an integer
overflow in CipherUpdate. By sending an overly long argument, an attacker could
exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.23

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12

IBM App connect Enterprise V12


Remediation/Fixes

1. IT37078 addresses the DataDirect ODBC driver which is affected by
CVE-2021-23840

2 . IT36322 addresses the version of node js which is affected by
CVE-2021-23840 and CVE-2021-23839

+--------------+--------------------+---------+-------------------------------+
|   Product    |        VRMF        |APAR     |       Remediation / Fix       |
+--------------+--------------------+---------+-------------------------------+
|IBM App       |                    |         |The APAR is available in fix   |
|Connect       |V11.0.0.0-V11.0.0.12|IT36322, |pack 11.0.0.13                 |
|Enterprise    |                    |IT37078  |IBM App Connect Enterprise     |
|              |                    |         |Version V11-Fix Pack 11.0.0.13 |
+--------------+--------------------+---------+-------------------------------+
|              |                    |         |Interim fix for APAR IT36322 is|
|              |                    |         |available from                 |
|              |                    |         |IBM Fix Central                |
|IBM           |V10.0.0.0 -         |IT36322, |                               |
|Integration   |V10.0.0.23          |IT37078  |Interim fix for APAR IT37078 is|
|Bus           |                    |         |available from                 |
|              |                    |         |IBM Fix Central                |
|              |                    |         |                               |
|              |                    |         |                               |
+--------------+--------------------+---------+-------------------------------+
|IBM App       |                    |         |Interim fix for APAR IT37078 is|
|Connect       |V12.0.1.0           |IT37078  |available from                 |
|Enterprise    |                    |         |                               |
|              |                    |         |IBM Fix Central                |
+--------------+--------------------+---------+-------------------------------+

IBM Integration Bus V9 is no longer in full support; IBM recommends upgrading
to a fixed, supported version/release/platform of the product. If you are a
customer with extended support and require a fix, contact IBM support.


Workarounds and Mitigations

None

Acknowledgement

Change History

15 Jun 2021: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYNuvVONLKJtyKPYoAQjuxQ/8DZtTJqeXZ3qau+x9glym+ny+wvMxLorO
zkeMlI3HZtGGAXyLNtJP/IH9s6uMAtcZcKC6PaKUpGkuo4KRPYDRBp1k7dGQcGbY
KSLu7sJxj4zM+jz3oufcQen/ZS8AS1CRn2G2kDFfBn69BgDzRkN1ssAw+VXvxbJK
IB6gv6GuTyc2GkD/lu1nmapON0RHAG2aWqRiQNoJr5xCrHHPREDxE/TI7EKi4yyd
J7c7S3tdw3oM/IRqnIgFjsSj6eBbZJj1uoZzOlrTQPLk9C4Z7d/M+ULX4uoVZaur
ypIPKURWMnM7Rg7MCvRqphz58Pks9yGRImxa7251xlhkRz6OiNzkYgQq3GoDHhhj
c4lp8a2E6GMhmM6/2AXuSjlopjdS9Q/frPRcnDsn5bF6JTyRXLcyZmAAHwcrCYbE
0nHEt1Mw7c5oX//xsnevqkZNaDPDyAy+C/9ZZRO761hHAlXIhfDTA5w/ht+stjvf
0XLzADt1brr0EpK1mOROo8SFGZkZGq7umxzqmpKWBOabgzW/aY6fMsDgq9x0X2kE
Z378ZL9rdsUR03eQap3wlAkuZ63Q7AD19d2CmtsBOYZvrTbUMfQ+fHkhjN2Jg3iv
efgsmOk1jwAJvjujiKPKb445bksEojNle9ECR4RksiUw1ZZtWesmYBBtqFlubVM5
7G1MhsE24kE=
=B7U6
-----END PGP SIGNATURE-----