Security Bulletin: IBM API Connect is impacted by a directory traversal vulnerability in Drupal core SA-CORE-2021-001 (CVE-2020-36193)

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2020-36193
**DESCRIPTION:**Archive_Tar could allow a remote attacker to traverse directories on the system, caused by inadequate checking of symbolic links. An attacker could send a specially-crafted URL request to the Tar.php script containing “dot dot” sequences (/…/) to modify arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/195056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Remediation/Fixes

Affected Product

|

Addressed in VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—

IBM API Connect

V5.0.0.0-5.0.8.10 iFixes.

|

5.0.8.10 iFix (Portal) published on or after January22, 2021

| LI82083| Addressed in IBM API Connect V5.0.8.10 iFix

published on or after January 22, 2021

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

If upgrading to 5.0.8.11, refer to important information about upgrade here: <https://www.ibm.com/support/pages/node/6429049&gt;

IBM API Connect

V2018.4.1.0-2018.4.1.13

|

2018.4.1.15

| LI82083|

Addressed in IBM API Connect V2018.4.1.15.

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.0.0-10.0.1.1

|

10.0.1.2

| LI82083|

Addressed in IBM API Connect V10.0.1.2

Developer Portal is impacted.

Follow this link and find the “Portal” package:

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

Disable uploads of .tar, .tar.gz, .bz2, or .tlz files to mitigate the vulnerability.