IBME021B3BC3EDC4F842310654287B2EF8BF1F6BDEA3BCA58F2F657EC4011C0E931Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
77.6%
Summary
Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to remote attack due to Go CVE-2021-44717 with details below
Vulnerability Details
CVEID:CVE-2021-44717
**DESCRIPTION:**Golang Go could allow a remote attacker to bypass security restrictions, caused by an error in the syscall.ForkExec() interface. By causing the erroneous closing of file descriptor 0 after file-descriptor exhaustion, an attacker could exploit this vulnerability to compromise data integrity and/or confidentiality in a somewhat uncontrolled way in programs linked with and using syscall.ForkExec().
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/216563 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| Platform Navigator in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 |
| 2021.1.1 | |
| 2021.2.1 | |
| 2021.3.1 | |
| 2021.4.1 | |
| Automation Assets in IBM Cloud Pak for Integration (CP4I) | 2020.4.1 |
| 2021.1.1 | |
| 2021.2.1 | |
| 2021.4.1 |
Remediation/Fixes
Platform Navigator 2020.4.1 in****IBM Cloud Pak for Integration
Upgrade Platform Navigator 2020.4.1 to 2020.4.1-6-eus using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2020.4?topic=202041-upgrading-platform-navigator-component-deployment-interface>
Platform Navigator version 2021.1, 2021.2, 2021.3, or 2021.4 in IBM Cloud Pak for Integration
Upgrade Platform Navigator to 2021.4.1-1 using the Operator upgrade process described in the IBM Documentation
**
Asset Repository version 2020.4.1 in IBM Cloud Pak for Integration**
Upgrade Asset Repository to 2020.4.1-5-eus using the Operator upgrade process described in the IBM Documentation
Asset Repository version 2021.1, 2021.2, or 2021.4 in IBM Cloud Pak for Integration
Upgrade Asset Repository to 2021.4.1-3 using the Operator upgrade process described in the IBM Documentation
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | cloud_pak_for_automation | 2020.4.12021.1.12021.2.12021.3.12021.4.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:2020.4.12021.1.12021.2.12021.3.12021.4.1:*:*:*:*:*:*:* |
| ibm | cloud_pak_for_automation | 2020.4.12021.1.12021.2.12021.4.1 | cpe:2.3:a:ibm:cloud_pak_for_automation:2020.4.12021.1.12021.2.12021.4.1:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
EPSS
Percentile
77.6%