Security Bulletin: IBM API Connect is impacted by multiple open source software vulnerabilities.

Summary

IBM API Connect has addressed the following vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-0268 DESCRIPTION: Microsoft Server Message Block 1.0 (SMBv1) could allow a remote attacker to obtain sensitive information, caused by improper handling of incoming requests. By sending specially-crafted packet data to the server, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/125554&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2018-0210 DESCRIPTION: Cisco Data Center Network Manager is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by the web-based management interface. By persuading an user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139992&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2018-0021 DESCRIPTION: Juniper Networks Junos OS is vulnerable to a man-in-the-middle attack, caused by an error when configured with short MacSec keys. By using brute-force techniques, a remote attacker from within the local network could exploit this vulnerability to obtain the secret passphrases configured for these keys.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141516&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H)

CVEID: CVE-2016-10531 DESCRIPTION: Node.js marked module is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the link components. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim’‘s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’'s cookie-based authentication credentials.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149101&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-11698 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::handle_error. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144297&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-11499 DESCRIPTION: LibSass is vulnerable to a denial of service, caused by a use-after-free in handle_error() in sass_context.cpp. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143880&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-11693 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::skip_over_scopes. By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144323&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-11697 DESCRIPTION: LibSaas could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read of a memory region in the function Sass::Prelexer::exactly(). By using a specially-crafted file, a remote attacker could exploit this vulnerability to obtain sensitive information or cause a denial of service.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144302&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L)

CVEID: CVE-2018-11696 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Inspect::operator. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144308&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-11694 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Functions::selector_append. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144317&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID: CVE-2018-11695 DESCRIPTION: LibSaas is vulnerable to a denial of service, caused by a NULL pointer dereference in the function Sass::Expand::operator. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144311&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM API Connect version 5.0.8.0-5.0.8.4;2018.1-2018.4.1.2

Remediation/Fixes

Addressed in IBM API Connect V5.0.8.5 fix pack.

Follow this link and find the APIConnect-Portal package.

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.4&platform=All&function=all&source=fc

IBM API Connect V2018.1 - 2018.4.1.2

|

2018.4.1.3 fixpack

| LI80724 | |

Addressed in IBM API Connect v2018.4.1.3 fixpack.

Management server and Analytics components are impacted.

Follow this link and find the appropriate form factor for your installation: “management” , “analytics” or apicup* or ICP for 2018.4.1.3.

[http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~WebSphere&amp;product=ibm/WebSphere/IBM+API+Connect&amp;release=2018.4.1.2&amp;platform=All&amp;function=all&amp;source=fc](< http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+API+Connect&release=2018.4.1.2&platform=All&function=all&source=fc&gt;)

Workarounds and Mitigations

None