Security Bulletin: API Connect is affected by an information leakage vulnerability (CVE-2018-1468)

Summary

API Connect has addressed the following vulnerability.

An API Connect user can get access to internal environment and sensitive API details to which they are not authorized.

Vulnerability Details

CVEID:CVE-2018-1468**
DESCRIPTION: *An API Connect user can get access to internal environment and sensitive API details to which they are not authorized.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140399 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected API Connect

|

Affected Versions

—|—
IBM API Connect| 5.0.8.1-5.0.8.2

Remediation/Fixes

Affected Product

|

Addressed in VRMF

|

APAR

|

Remediation / First Fix

—|—|—|—
IBM API Connect

5.0.8.1 5.0.8.1iFix_20180107-0316_e0506c4ca64d and above

5.0.8.2| 5.0.8.3| LI79980 | Addressed in IBM API Connect V5.0.8.3.

Management Server is impacted.

Follow this link and find the “APIConnect_Management” package:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.2&platform=All&function=all

Workarounds and Mitigations

None