Security Bulletin: IBM API Connect is impacted by a vulnerability in Golang (CVE-2021-27919)

2021-08-1623:03:41

www.ibm.com

0.001 Low

EPSS

Percentile

30.0%

JSON

Summary

IBM API Connect has addressed the following vulnerability.

Vulnerability Details

CVEID:CVE-2021-27919
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the Reader.Open API when use a ZIP archive containing files start with “…/”. By persuading a victim to open a specially-crafted ZIP archive, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198076 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

API Connect	V10.0.0.0 - V10.0.1.2
API Connect
V10.0.1-10.0.2

API Connect| V2018.4.1.0-2018.4.1.16

Remediation/Fixes

Affected Product	Addressed in VRMF	APAR	Remediation/First Fix

IBM API Connect

V2018.4.1.0-2018.4.1.16

| 2018.4.1.17| LI82279 |

Addressed in IBM API Connect V2018.4.1.17.

Follow this link and find the appropriate package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.0.0-V10.0.1.1

| 10.0.1.2|

LI82279

Addressed in IBM API Connect V10.0.1.4.

Follow this link and find the appropriate package.

http://www.ibm.com/support/fixcentral/swg/quickorder

IBM API Connect

V10.0.1-10.0.2

| 10.0.3
|

LI82279

Addressed in IBM API Connect 10.0.3.

Follow this link and find the appropriate package.

http://www.ibm.com/support/fixcentral/swg/quickorder

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm api connecteq2018.4.1.0
ibm api connecteq2018.4.1.16
ibm api connecteq10.0.1
ibm api connecteq10.0.2
ibm api connecteq10.0.1.0
ibm api connecteq10.0.1.2

Name	Operator	Version
ibm api connect	eq	2018.4.1.0
ibm api connect	eq	2018.4.1.16
ibm api connect	eq	10.0.1
ibm api connect	eq	10.0.2
ibm api connect	eq	10.0.1.0
ibm api connect	eq	10.0.1.2