Lucene search

K
ibmIBM0293ED013BFC8FB5C5CE6425DF6C7BCE516596F8931794EDC12807B444C1B260
HistoryOct 20, 2023 - 11:35 a.m.

Security Bulletin: IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto

2023-10-2011:35:44
www.ibm.com
21
ibm integration bus
denial of service
eclipse mosquitto
vulnerability
memory leak
apar
remediation fix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

41.2%

Summary

IBM Integration Bus is vulnerable to a denial of service due to Eclipse Mosquitto (CVE-2023-28366, CVE-2023-3592, CVE-2023-0809).

Vulnerability Details

CVEID:CVE-2023-28366
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by a memory leak flaw in the broker. By sending specially crafted QoS 2 messages, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-3592
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by a memory leak flaw. By sending specially crafted v5 CONNECT packets, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265820 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-0809
**DESCRIPTION:**Eclipse Mosquitto is vulnerable to a denial of service, caused by a memory leak flaw. By sending specially crafted v5 CONNECT packets, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265810 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Integration Bus 10.1 - 10.1.0.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus

Affected Product(s) Version(s) APAR Remediation / Fix
IBM Integration Bus 10.1 - 10.1.0.1 IT44664

The APAR (IT44664) is available from

IBM App Connect Enterprise v10.1 - Fix Pack 10.1.0.2

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmintegration_busRange10.1
OR
ibmintegration_busRange10.1.0.1

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

41.2%