CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
78.6%
libssh is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability CVE-2021-3634
CVEID:CVE-2021-3634
**DESCRIPTION:**libssh is vulnerable to a heap-based buffer overflow, caused by improper bounds checking. By sending a specially-crafted request, a remote authenticated attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208281 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 1.1-eus with Operator |
App Connect Enterprise Certified Container | 3.0 with Operator |
App Connect Enterprise Certified Container | 3.1 with Operator |
App Connect Enterprise Certified Container | 4.0 with Operator |
App Connect Enterprise Certified Container | 4.1 with Operator |
App Connect Enterprise Certified Container 3.0, 3.1, 4.0 and 4.1 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 4.2.0 or higher, and ensure that all components are at 12.0.4.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)
Upgrade to App Connect Enterprise Certified Container Operator version 1.1.10 or higher, and ensure that all components are at 11.0.0.18-r1-eus or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_eus?topic=releases-upgrading-operator>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | app_connect_enterprise | 1.1.0 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.1 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.2 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.3 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.3:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.4 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.4:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.5 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.5:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.6 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.6:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.7 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.7:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.8 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.8:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 1.1.9 | cpe:2.3:a:ibm:app_connect_enterprise:1.1.9:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
78.6%