Security Bulletin
Summary
IBM Cloud Pak for Integration is vulnerable to multiple Go vulnerabilities with details of each below
Vulnerability Details
CVEID: CVE-2021-33196
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the NewReader and OpenReader functions in archive/zip. By persuading a victim to open a specially-crafted archive file, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206602 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-34558
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by the failure to properly assert that the type of public key in an X.509 certificate matches the expected type in the crypto/tls package. By persuading a victim to connect to a specially-crafted TLS server, a remote attacker could exploit this vulnerability to cause a TLS client to panic.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-29923
DESCRIPTION: Golang Go could allow a remote attacker to bypass security restrictions, caused by improper consideration for extraneous zero characters at the beginning of an IP address octet. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access control based on IP addresses.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207025 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2021-36221
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a race condition upon an ErrAbortHandler abort. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a net/http/httputil ReverseProxy panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/207036 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-33197
DESCRIPTION: Golang Go could allow a remote attacker to bypass security restrictions, caused by a flaw in the ReverseProxy in net/http/httputil. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop arbitrary headers, including those set by the ReverseProxy.Director.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206603 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2021-33198
DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the SetString and UnmarshalText methods of math/big.Rat. By sending a specially-crafted input, a remote attacker could exploit this vulnerability to cause a panic or an unrecoverable fatal error, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-33195
DESCRIPTION: Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by not following RFC 1035 rules in the LookupCNAME, LookupSRV, LookupMX, LookupNS, and LookupAddr functions in net. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206601 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
Affected Product(s) | Version(s) |
Platform Navigator in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 2021.1.1 2021.2.1 |
Asset Repository in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 2021.1.1 2021.2.1 |
Remediation/Fixes
https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=202041-upgrading-platform-navigator-component-deployment-interface
Asset Repository version 2020.4.1 in IBM Cloud Pak for Integration
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
13 Oct 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
15 October 2021
UID
ibm16501839