Multiple vulnerabilities in IBM Sterling B2B Integrator
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-40690 CVE-2014-8152 |
| CWE-ID | CWE-200 CWE-347 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
IBM Sterling B2B Integrator Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Information disclosure
EUVDB-ID: #VU58198
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-40690
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. A remote attacker can abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Sterling B2B Integrator: before 6.0.3.8, 6.1.2.2, 6.0.3.8
CPE2.3 External linkshttps://www.ibm.com/support/pages/node/6963085
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Verification of Cryptographic Signature
EUVDB-ID: #VU73268
Risk: Medium
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2014-8152
CWE-ID:
CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to improper signature validation mechanism. A remote attacker can modify the XML document in the way that it appears to be valid for the streaming XML signature protection mechanism.
MitigationInstall update from vendor's website.
Vulnerable software versionsIBM Sterling B2B Integrator: before 6.0.3.8, 6.1.2.2, 6.0.3.8
CPE2.3https://www.ibm.com/support/pages/node/6963085
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
