Security Bulletin: App Connect Enterprise Certified Container Dashboard is vulnerable to (CVE-2020-15168)

2020-11-1712:14:48

www.ibm.com

0.001 Low

EPSS

Percentile

42.5%

JSON

Summary

App Connect Enterprise Certified Container is vulnerable to CVE-2020-15168, which may lead to a denial of service

Vulnerability Details

CVEID:CVE-2020-15168
**DESCRIPTION:**Node.js node-fetch module is vulnerable to a denial of service, caused by the failure to honor the size option after following a redirect. By using a specially-crafted file, a remote attacker could exploit this vulnerability to consume excessive resource on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188155 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	1.0.0 with Operator
App Connect Enterprise Certified Container	1.0.1 with Operator
App Connect Enterprise Certified Container	1.0.2 with Operator
App Connect Enterprise Certified Container	1.0.3 with Operator
App Connect Enterprise Certified Container	1.0.4 with Operator

Remediation/Fixes

Upgrade to App Connect Enterprise Certified Container to Operator version 1.0.5 (available in CASE 1.0.6) or higher, and ensure that any operand components are upgraded to 11.0.0.10-r2 or higher.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm app connect enterpriseeq1.0.0
ibm app connect enterpriseeq1.0.1
ibm app connect enterpriseeq1.0.2
ibm app connect enterpriseeq1.0.3
ibm app connect enterpriseeq1.0.4

Name	Operator	Version
ibm app connect enterprise	eq	1.0.0
ibm app connect enterprise	eq	1.0.1
ibm app connect enterprise	eq	1.0.2
ibm app connect enterprise	eq	1.0.3
ibm app connect enterprise	eq	1.0.4