IBM Support

Security Bulletin: Images built from IBM App Connect Enterprise Certified Containers may be vulnerable to arbitrary code execution due to CVE-2021-37712

Security Bulletin


Summary

The Node.js tar module is used by the package manager npm, which is included in the IBM App Connect Enterprise Certified Container images. Use of npm when building images based on IBM App Connect Enterprise Certified Container images may be vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability CVE-2021-37712 in the Node.js tar module.

Vulnerability Details

CVEID:   CVE-2021-37712
DESCRIPTION:   Node.js tar module could allow a local attacker to execute arbitrary code on the system, caused by an arbitrary file creation/overwrite vulnerability. By creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, an attacker could use an untrusted tar file to symlink into an arbitrary location and extract arbitrary files into that location to create or overwrite arbitrary files and execute arbitrary code on the system.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/208450 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
App Connect Enterprise Certified Container1.1-eus with Operator
App Connect Enterprise Certified Container1.5 with Operator
App Connect Enterprise Certified Container2.0 with Operator
App Connect Enterprise Certified Container2.1 with Operator
App Connect Enterprise Certified Container3.0 with Operator
App Connect Enterprise Certified Container3.1 with Operator

Remediation/Fixes

App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0 and 3.1 (Continuous Delivery)

When building an image based on the App Connect Enterprise Certified Container images, ensure that you use a base image of 12.0.3.0-r2 or higher.

 

App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)

When building an image based on the App Connect Enterprise Certified Container images, ensure that you use a base image of 11.0.0.16-r1-eus or higher.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

See https://www.ibm.com/support/pages/node/6239294 for information supported levels of the ACE Certified Container Operator

Change History

31 Mar 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSDR5J","label":"IBM App Connect Enterprise"},"Component":"Security","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.5, 2.0, 2.1, 3.0, 3.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
31 March 2022

Initial Publish date:
31 March 2022

UID

ibm16568345

Page Feedback