OpenSSL is used by IBM App Connect Enterprise Certified Container for certificate creation and verification. IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service when processing a malicious certificate. This bulletin provides patch information to address the reported vulnerability CVE-2022-0778 in OpenSSL.
CVEID:CVE-2022-0778
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 1.1-eus with Operator |
App Connect Enterprise Certified Container | 2.1 with Operator |
App Connect Enterprise Certified Container | 3.0 with Operator |
App Connect Enterprise Certified Container | 3.1 with Operator |
App Connect Enterprise Certified Container | 4.0 with Operator |
App Connect Enterprise Certified Container 2.1, 3.0, 3.1 and 4.0 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 4.1.0 or higher, and ensure that all components are at 12.0.4.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)
Upgrade to App Connect Enterprise Certified Container Operator version 1.1.8 or higher, and ensure that all components are at 11.0.0.17-r1-eus or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_eus?topic=releases-upgrading-operator>
None