Security Bulletin: Open Source Dependency Vulnerability
Discription

## Summary

IBM Edge Application Manager 4.5 has resolved the vulnerability.

## Vulnerability Details

** CVEID: **[CVE-2020-15112]()
** DESCRIPTION: **etcd is vulnerable to a denial of service, caused by a flaw in the ReadAll method in wal/wal.go. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause a runtime panic.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186328]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2020-26160]()
** DESCRIPTION: **jwt-go could allow a remote attacker to bypass security restrictions, caused by a type assertion failure when m[“aud”] happens to be []string{}. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/189408]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

** CVEID: **[CVE-2018-16886]()
** DESCRIPTION: **etcd could allow a remote attacker to bypass security restrictions, caused by improper authentication in auth/store.go:AuthInfoFromTLS() when role-based access control (RBAC) is used and client-cert-auth is enabled. By sending a specially crafted REST API request to the gRPC-gateway, an attacker could exploit this vulnerability to bypass authentication.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/155498]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

** CVEID: **[CVE-2021-44716]()
** DESCRIPTION: **Golang Go is vulnerable to a denial of service, caused by an uncontrolled memory consumption in the header canonicalization cache in net/http. By sending HTTP/2 requests, a remote attacker could exploit this vulnerability to consume all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/216553]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2018-1098]()
** DESCRIPTION: **etcd is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unauthorized actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
CVSS Base score: 8.8
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141542]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

** CVEID: **[CVE-2020-15106]()
** DESCRIPTION: **etcd is vulnerable to a denial of service, caused by improper data validation in the decodeRecord method. By sending a specially crafted data, a remote authenticated attacker could exploit this vulnerability to cause panic in decodeRecord method,
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186329]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2020-15113]()
** DESCRIPTION: **etcd could allow a remote attacker to bypass security restrictions, caused by the lack of permission checks in the os.MkdirAll function when a given directory path exists already. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass access restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/186327]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

** CVEID: **[CVE-2018-1099]()
** DESCRIPTION: **etcd could allow a remote attacker to gain access to the DNS records, caused by a DNS rebinding. An attacker could exploit this vulnerability to rebind DNS records.
CVSS Base score: 3.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/141541]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

** CVEID: **[CVE-2022-29526]()
** DESCRIPTION: **Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the Faccessat function when called with a non-zero flags parameter. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain accessible file information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/229593]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

** CVEID: **[CVE-2020-14040]()
** DESCRIPTION: **Go Language x/text package is vulnerable to a denial of service, caused by a vulnerability in encoding/unicode in the UTF-16 decoder. By sending a single byte to a UTF16 decoder, a remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184313]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3

## Remediation/Fixes

The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.

## Workarounds and Mitigations

None

##Read More

Back to Main

Subscribe for the latest news: