CVE-2021-4314

Name of the Vulnerable Software and Affected Versions zOSMF versions 1.16 through 1.19

Description It is possible to manipulate the JWT token without the knowledge of the JWT secret and authenticate without a valid JWT token as any user. This issue occurs when zOSMF doesn’t have the APAR PH12143 applied. The services using the ZAAS client or the API ML API to query will be deceived into believing the information in the JWT token is valid when it isn’t. It’s possible to use this to persuade the southbound service that a different user is authenticated.

Recommendations For versions 1.16 through 1.19, apply the APAR PH12143 to resolve the issue. As a temporary workaround, consider restricting access to the ZAAS client and the API ML API to minimize the risk of exploitation. Avoid using the JWT token for authentication until the issue is resolved.