Lucene search

IBM4A42DBB10B0753315C68C603D67B688DD58A77A0647DF4FA7F758FDF81FBEE4A

HistoryJul 21, 2023 - 12:42 p.m.

Security Bulletin: IBM Global Mailbox is vulnerable to remote code execution due to Apache Cassandra (CVE-2021-44521)

2023-07-2112:42:12

www.ibm.com

ibm

global mailbox

remote code execution

apache cassandra

cve-2021-44521

vulnerability

ibm sterling

fix pack

b2b integrator

file gateway

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

0.05 Low

EPSS

Percentile

92.9%

JSON

Summary

IBM Global Mailbox has addressed a remote code execution in Apache Cassandra.

Vulnerability Details

CVEID:CVE-2021-44521
**DESCRIPTION:**Apache Cassandra could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when include configurations for enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: flase. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Global Mailbox	6.1
IBM Sterling Global Mailbox	6.0

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by Apache Zookeeper which is/are shipped with Global Mailbox.

Product and Version(s)

Version

Remediation

—|—|—

IBM Sterling Global Mailbox

6.0, 6.1

| Apply fix pack 6.1.2.1.

Fix Central Images

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-B2Bi-All+&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-SFG-All+&includeSupersedes=0

Certified Container

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.2.1

Certified Container Image: cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1
Helm Chart: <https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.1.tgz>

IBM Sterling File Gateway V6.1.2.1

Certified Container Image: cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1
Helm Chart: <https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.1.1.tgz>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmhigh_availability_cluster_multiprocessingMatch6.1.2

CPENameOperatorVersion
ibm global high availability mailboxeq6.1.2

CPE	Name	Operator	Version
	ibm global high availability mailbox	eq	6.1.2

8.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

0.05 Low

EPSS

Percentile

92.9%

JSON

Related for 4A42DBB10B0753315C68C603D67B688DD58A77A0647DF4FA7F758FDF81FBEE4A