SB2022081840 - Multiple vulnerabilities in IBM Cloud Pak for Integration

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Use-after-free (CVE-ID: CVE-2021-22930)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when processing HTTP/2 stream canceling requests. A remote attacker can send a specially crafted HTTP/2 request, trigger a use-after-free error and execute arbitrary code on the system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

2) Incorrect default permissions (CVE-ID: CVE-2021-22921)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists in Windows installer due to incorrect default permissions for files and folders that are set by the application. A local user with access to the system can view contents of files and directories or modify them.

3) Out-of-bounds read (CVE-ID: CVE-2021-22918)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in uv__idna_toascii() function in libuv, which is used to convert strings to ASCII. A remote attacker can force the application to resolve a specially crafted hostname, trigger an out-of-bounds read error and gain access to sensitive information or perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-multiple-node-js-vulnerabilities/"
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-cloud-pak-for-integration-is-vulnerable-to-multiple-node-js-vulnerabilities/</a><br><a
• https://www.ibm.com/support/pages/node/6501841"
• https://www.ibm.com/support/pages/node/6501841</a><br><br><br></p>