Security Bulletin: Multiple Security Vulnerabilities have been resolved in IBM Application Gateway (CVE-2021-20576, CVE-2021-20575, CVE-2021-29665)

Summary

Multiple Security vulnerabilities have been fixed in the IBM Application Gateway product.

Vulnerability Details

CVEID:CVE-2021-20576
**DESCRIPTION:**IBM Application Gateway could allow a remote attacker to send a specially crafted HTTP GET request that could cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199280 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2021-20575
**DESCRIPTION:**IBM Application Gateway allows web pages to be stored locally which can be read by another user on the system.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199278 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2021-29665
**DESCRIPTION:**IBM Application Gateway is vulnerable to a stack based buffer overflow, caused by improper bounds checking which could allow a local attacker to execute arbitrary code on the system with elevated privileges.
CVSS Base score: 9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199399 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)

**Third Party Entry:**199398
**DESCRIPTION:**IBM Application Gateway could disclose sensitive information in HTTP server headers that could be used in further attacks against the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199398 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Fixes for IBM Application Gateway can be downloaded from the ibmcom Docker store.

docker pull ibmcom/ibm-application-gateway:21.04

Workarounds and Mitigations

None