SB2022101811 - Multiple vulnerabilities in IBM Sterling B2B Integrator

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Insufficient Session Expiration (CVE-ID: CVE-2021-34428)

The vulnerability allows an attacker to gain access to sensitive information.

The vulnerability exists due to insufficient session expiration issue. If an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated.

2) Input validation error (CVE-ID: CVE-2021-28169)

The vulnerability allows a remote attacker to gain access to sensitive information..

The vulnerability exists due to a double decoding issue when parsing URI with certain characters. A remote attacker can send requests to the ConcatServlet and WelcomeFilter and view contents of protected resources within the WEB-INF directory.

Example:

/concat?/%2557EB-INF/web.xml

3) Improper access control (CVE-ID: CVE-2021-34429)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper input validation when processing certain characters in URI. A remote attacker can send a specially crafted HTTP request with encoded characters in URI, bypass implemented security restrictions and access content of the WEB-INF directory.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-due-to-eclipse-jetty/"
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-sterling-b2b-integrator-vulnerable-due-to-eclipse-jetty/</a><br>
• https://www.ibm.com/support/pages/node/6829867<br></p>