Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a local authenticated attacker due to Eclipse IDE (CVE-2023-4218)

Summary

IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to a local authenticated attacker due to Eclipse IDE. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-4218
**DESCRIPTION:**Eclipse IDE could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations. By persuading a victim to open specially crafted XML content, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271083 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit

Affected Product(s)

|

Version(s)

|

APAR

|

Remediation / Fixes

—|—|—|—

IBM App Connect Enterprise Toolkit

|

12.0.1.0 - 12.0.11.0

|

IT45231

|

The APAR (IT45231) is available from

IBM App Connect Enterprise v12 - Security Fix Pack Release 12.0.11.1

IBM App Connect Enterprise Toolkit

|

11.0.0.1 - 11.0.0.24

|

IT45231

|

Interim Fix for APAR (IT45231) is available to apply to 11.0.0.24 from

IBM Fix Central

IBM Integration Bus for z/OS Toolkit

|

10.1 - 10.1.0.2

|

IT45231

|

Interim Fix for APAR (IT45231) is available to apply to 10.1.0.2 from

IBM Fix Central

Workarounds and Mitigations

None