-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2641
Security Bulletins: IBM Integration Bus and IBM App Connect Enterprise v11
                are affected by vulnerabilities in Node.js
                               5 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Integration Bus
                   IBM App Connect Enterprise
Publisher:         IBM
Operating System:  Linux variants
                   Windows
                   AIX
Impact/Access:     Denial of Service -- Remote/Unauthenticated
                   Reduced Security  -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-27290 CVE-2021-23362 CVE-2021-22884
                   CVE-2021-22883  

Reference:         ASB-2021.0138
                   ASB-2021.0096
                   ESB-2021.0814
                   ESB-2021.0686

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6463977
   https://www.ibm.com/support/pages/node/6466321
   https://www.ibm.com/support/pages/node/6463295

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Integration Bus & IBM App Connect Enterprise V11 are
affected by vulnerabilities in Node.js (CVE-2021-22884, CVE-2021-22883)


Document Information

Product:              IBM Integration Bus
Software version:     -
Operating system(s):  Linux, Windows
Document number:      6463977
Modified date:        04 August 2021


Summary

IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for
which vulnerabilities were reported and have been addressed. Vulnerability
details are listed below.

Vulnerability Details

CVEID:   CVE-2021-22884
DESCRIPTION:   Node.js is vulnerable to a denial of service, caused by an error
when the whitelist includes "localhost6". By controlling the victim&#
39;s DNS server or spoofing its responses, an attacker could exploit this
vulnerability to bypass the DNS rebinding protection mechanism using the "
localhost6" domain and cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
197191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H)

CVEID:   CVE-2021-22883
DESCRIPTION:   Node.js is vulnerable to a denial of service, caused by a file
descriptor leak. By making multiple attempts to connect with an '
unknownProtocol', an attacker could exploit this vulnerability to lead to
an excessive memory usage and cause the system to run out of memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
197190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.23 (Linux x86-64 and Windows x86-64 only)

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12


Remediation/Fixes

+--------------+--------------------+----------+-----------------------------+
|   Product    |        VRMF        |APAR      |      Remediation / Fix      |
+--------------+--------------------+----------+-----------------------------+
|              |                    |          |The APAR is available in fix |
|IBM App       |                    |          |pack 11.0.0.13               |
|Connect       |V11.0.0.0-V11.0.0.12|IT36998   |IBM App Connect Enterprise   |
|Enterprise    |                    |          |Version V11-Fix Pack         |
|              |                    |          |11.0.0.13                    |
+--------------+--------------------+----------+-----------------------------+
|IBM           |V10.0.0.0 -         |          |Interim fix for APAR IT36322 |
|Integration   |V10.0.0.23          |IT36322   |is available from            |
|Bus           |                    |          |IBM Fix Central              |
+--------------+--------------------+----------+-----------------------------+


Workarounds and Mitigations

None


Acknowledgement


Change History

15 Jun 2021: Initial Publication


- --------------------------------------------------------------------------------


IBM Integration Bus  and  IBM App Connect Enterprise v11 are affected by
vulnerabilities in Node.js (CVE-2021-23362)


Document Information

Document number    : 6466321
Modified date      : 04 August 2021
Product            : IBM Integration Bus
Component          : -
Software version   : -
Operating system(s): Linux
                     AIX
                     Windows Mobile

Summary

IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for
which vulnerabilities were reported and have been addressed. Vulnerability
details are listed below.

Vulnerability Details

CVEID: CVE-2021-23362
DESCRIPTION: Node.js hosted-git-info module is vulnerable to a denial of
service, caused by a regular expression denial of service (ReDoS) flaw in the
fromUrl function in index.js. By sending a specially-crafted regex input, a
remote attacker could exploit this vulnerability to cause a denial of service
condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198792 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.23 (Linux x86-64 and Windows x86-64 only)

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12

Remediation/Fixes

+--------------+--------------------+----------+-----------------------------+
|   Product    |        VRMF        |APAR      |      Remediation / Fix      |
+--------------+--------------------+----------+-----------------------------+
|              |                    |          |The APAR is available in fix |
|IBM App       |                    |          |pack 11.0.0.13               |
|Connect       |V11.0.0.0-V11.0.0.12|IT36998   |IBM App Connect Enterprise   |
|Enterprise    |                    |          |Version V11-Fix Pack         |
|              |                    |          |11.0.0.13                    |
+--------------+--------------------+----------+-----------------------------+
|IBM           |V10.0.0.0 -         |          |Interim fix for APAR IT36322 |
|Integration   |V10.0.0.23          |IT36322   |is available from            |
|Bus           |                    |          |IBM Fix Central              |
+--------------+--------------------+----------+-----------------------------+

Workarounds and Mitigations

None


Acknowledgement


Change History

22 Jun 2021: Initial Publication


- --------------------------------------------------------------------------------


IBM Integration Bus & IBM App Connect Enterprise V11 are affected by
vulnerabilities in Node.js  (CVE-2021-27290)


Document Information

Document number    : 6463295
Modified date      : 04 August 2021
Product            : IBM Integration Bus
Component          : -
Software version   : -
Operating system(s): Linux
                     Windows

Summary

IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for
which vulnerabilities were reported and have been addressed. Vulnerability
details are listed below.

Vulnerability Details

CVEID: CVE-2021-27290
DESCRIPTION: Node.js ssri module is vulnerable to a denial of service, caused
by a regular expression denial of service (ReDoS) flaw by the SRIs. By sending
a specially-crafted regex string, a remote attacker could exploit this
vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
198144 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


Affected Products and Versions

IBM Integration Bus V10.0.0 - V10.0.0.23 (Linux x86-64 and Windows x86-64 only)

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12

Remediation/Fixes

+--------------+--------------------+----------+-----------------------------+
|   Product    |        VRMF        |APAR      |      Remediation / Fix      |
+--------------+--------------------+----------+-----------------------------+
|              |                    |          |The APAR is available in fix |
|IBM App       |                    |          |pack 11.0.0.13               |
|Connect       |V11.0.0.0-V11.0.0.12|IT36998   |IBM App Connect Enterprise   |
|Enterprise    |                    |          |Version V11-Fix Pack         |
|              |                    |          |11.0.0.13                    |
+--------------+--------------------+----------+-----------------------------+
|IBM           |V10.0.0.0 -         |          |Interim fix for APAR IT36322 |
|Integration   |V10.0.0.23          |IT36322   |is available from            |
|Bus           |                    |          |IBM Fix Central              |
+--------------+--------------------+----------+-----------------------------+

Workarounds and Mitigations

None


Acknowledgement


Change History

10 Jun 2021: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYQtwTuNLKJtyKPYoAQi5lg//cFRBZjljFZMOo20m3+AgiB/XeKl0iw5K
UR7FLoP4J7LXFyiXWHaAghs0HeFMxHDdxJiwHasNHDJYZeTp1hkjCfmvpk3zNPQM
niFx0YmS6EBKdGD353865GcHs/hBlLc8AxCQFly3HbMLCVf2DhKt1j2ykVzi9hcy
wXLVt9bMuN+KbzbYoASxtLS+oOk6uTBwKuQGKwsy6moMaQzz6XF7JaOp/k0DCvBO
oFblFVAmgxnXZ8qqJQiNHLTSIUGbrRGHmhOBLq3jy5va32fxLLUWHxyTZ3MoZLuE
yGrrfmNr/ibiokZskLlOWNOHx2mWY+mDuFjgzZk5z2DSH2caL7jo89xr2hYSxW1x
FW1rqrXivFXBjGipuvSvYYv7DXfjAkGiiFjbZjD5CazlgjHyUmrrhiMV/drwpyCT
zb56HcMh1jelQLS489c0nGCdWay8oyasebEL5gkvFjIuAKb/WL/UUA3Qy0US8Uom
hErgW/2t/WrOOp0jfepYNr6Asq2AgL5q7hLlb4UX1KNFMgn8bTFK+6739dBwjEQi
iPrFc1vziZ5llmVAE1eLV0vInzyZ4UvJfiXw2c42Vp+ZF7IWGZfBC9NuRb8TB4wt
n5CRmNOB1zhgVGospiidiz/YZyiPJiHW8TXtuuzpHnxEr1RAKvKjYYwqUrBv+PtO
U5TfzwjlUAc=
=VDoL
-----END PGP SIGNATURE-----