Security Bulletin
Summary
SMTP is used by IBM i. IBM i has addressed the applicable CVE.
Vulnerability Details
CVEID: CVE-2021-20501
DESCRIPTION: IBM i SMTP allows a network attacker to send emails to non-existent local-domain recipients to the SMTP server, caused by using a non-default configuration. An attacker could exploit this vulnerability to consume unnecessary network bandwidth and disk space, and allow remote attackers to send spam email.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198056 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM i | 7.4 |
| IBM i | 7.3 |
| IBM i | 7.2 |
| IBM i | 7.1 |
Remediation/Fixes
The issue can be fixed by applying a PTF to IBM i. Releases 7.4, 7.3, 7.2, and 7.1 of IBM i are supported and will be fixed.
The IBM i PTF numbers are:
Release 7.4 – SI76106
Release 7.3 – SI75859
Release 7.2 – SI76105
Release 7.1 – SI76114
https://www.ibm.com/support/fixcentral
Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
20 Apr 2021: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
20 April 2021
UID
ibm16445505