IBM Integration Bus & IBM App Connect Enterprise V11 ship with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.
CVEID:CVE-2021-22884
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an error when the allowlist includes "localhost6". By controlling the victim's DNS server or spoofing its responses, an attacker could exploit this vulnerability to bypass the DNS rebinding protection mechanism using the "localhost6" domain and cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197191 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H)
CVEID:CVE-2021-22883
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a file descriptor leak. By making multiple attempts to connect with an 'unknownProtocol', an attacker could exploit this vulnerability to lead to an excessive memory usage and cause the system to run out of memory.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/197190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM Integration Bus V10.0.0 - V10.0.0.23 (Linux x86-64 and Windows x86-64 only)
IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12
Product
|
VRMF
| APAR|
Remediation / Fix
—|—|—|—
IBM App Connect Enterprise| V11.0.0.0-V11.0.0.12| IT36998|
The APAR is available in fix pack 11.0.0.13
IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.13
IBM Integration Bus | V10.0.0.0 - V10.0.0.23| IT36322|
Interim fix for APAR IT36322 is available from
None