APAR status
Closed as program error.
Error description
All] Node.js (including core and 3rd party modules) - CVE-2022-21824 , CVE-2021-44533, CVE-2021-44531,CVE-2021-44532
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: * * IBM Storage Insights users * **************************************************************** * PROBLEM DESCRIPTION: * * CVEID: CVE-2021-44532 * * Node.js could allow a remote attacker to bypass * * security restrictions, caused by a string injection * * vulnerability when name constraints were used * * within a certificate chain. An attacker could * * exploit this vulnerability to bypass the name * * constraints. * * * * CVEID: CVE-2021-44531 * * Node.js could allow a remote attacker to bypass * * security restrictions, caused by the improper * * handling of URI Subject Alternative Name (SAN) * * types. An attacker could exploit this vulnerability * * to bypass name-constrained intermediates. * * * * CVEID: CVE-2021-44533 * * Node.js could allow a remote attacker to bypass * * security restrictions, caused by the incorrect * * handling of multi-value Relative Distinguished * * Names. By crafting certificate subjects containing * * a single-value Relative Distinguished Name that * * would be interpreted as a multi-value Relative * * Distinguished Name, an attacker could exploit * * this vulnerability to bypass the certificate subject * * verification. * * * * CVEID: CVE-2022-21824 * * Node.js could provide weaker than expected * * security, caused by an error related to the * * formatting logic of the console.table() function. * * An attacker could exploit this vulnerability using * * console.table properties to allow an empty string * * to be assigned to numerical keys of the object * * prototype. * * * **************************************************************** * RECOMMENDATION: * ****************************************************************
Problem conclusion
The fix for this APAR is contained in the following release: IBM Storage Insights 1Q22 [ 54X-IBM-SI ] ( 1Q 2022 / March )
Temporary fix
Comments
APAR Information
APAR number
IT39897
Reported component name
STORAGE INSIGHT
Reported component ID
5608TPCSI
Reported release
544
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2022-02-07
Closed date
2022-03-22
Last modified date
2022-03-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STORAGE INSIGHT
Fixed component ID
5608TPCSI
Applicable component levels
[{"Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU029","label":"Software"},"Product":{"code":"SSYS7R","label":"IBM Spectrum Control Storage Insights"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"544"}]
Document Information
Modified date:
23 March 2022