5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
39.4%
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2021-41039, CVE-2021-34432, CVE-2021-34431) The fix includes Eclipse Mosquitto v2.0.15
CVEID:CVE-2021-41039
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by improper input validation. By sending specially-crafted CONNECT packets containing lots of “user properties”, a remote attacker could exploit this vulnerability to cause excessive CPU usage and loss of performance, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/214367 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-34432
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by improper input validation. By sending a PUBLISH packet with zero value of length topic, a remote authenticated attacker could exploit this vulnerability to cause the server to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206468 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2021-34431
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by a memory leak flaw in the broker. By sending a specially-crafted CONNECT message, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/206314 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.8.0 |
IBM App Connect Enterprise | 11.0.0.0 - 11.0.0.20 |
IBM Integration Bus | 10.1 |
IBM Integration Bus | 10.0.0.0 - 10.0.0.26 |
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise & IBM Integration Bus
Product(s)
|
Version(s)
|
APAR
|
Remediation / Fix
—|—|—|—
IBM App Connect Enterprise
|
v12.0.1.0 - v12.0.8.0
|
IT43353
|
Interim fix for APAR (IT43353) is available to apply to 12.0.8.0 from
IBM App Connect Enterprise
|
v11.0.0.0 -v11.0.0.20
|
IT43353
|
Interim fix for APAR (IT43353) is available to apply to 11.0.0.20 from
IBM Integration Bus
|
v10.1
|
IT43353
|
Interim fix for APAR (IT43353) is available to apply to 10.1 from
IBM Integration Bus
|
v10.0.0.0 -v10.0.0.26
|
IT43353
|
Interim fix for APAR (IT43353) is available to apply to 10.0.0.26 from
None
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
39.4%