Lucene search

IBM1361F5254744955BD204F0E9B444F0E7F994B6408DE5648F4E70F2A71246F1DF

HistoryJun 04, 2024 - 4:51 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands are vulnerable to arbitrary code execution due to [CVE-2024-29651]

2024-06-0416:51:13

www.ibm.com

ibm app connect enterprise

arbitrary code execution

cve-2024-29651

upgrade

continuous delivery

long term support

vulnerability

7.7 High

AI Score

Confidence

High

0 Low

EPSS

Percentile

0.0%

JSON

Summary

Node.js module @apidevtools/json-schema-ref-parser is used by IBM App Connect Enterprise Certified Container for processing JSON schemas defining the App Connect Enterprise administration API. IBM App Connect Enterprise Certified Container Dashboard and DesignerAuthoring operands are vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability in Node.js module @apidevtools/json-schema-ref-parser. [CVE-2024-29651]

Vulnerability Details

CVEID:CVE-2024-29651
**DESCRIPTION:**API Dev Tools json-schema-ref-parser could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw in the bundle(), parse(), resolve() and dereference() functions. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/291139 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	10.1
App Connect Enterprise Certified Container	11.0
App Connect Enterprise Certified Container	11.1
App Connect Enterprise Certified Container	11.2
App Connect Enterprise Certified Container	11.3

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container from 10.1.0 up to 11.3.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 11.4.0 or higher, and ensure that all DesignerAuthoring and Dashboard components are at 12.0.11.3-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.16 or higher, and ensure that all DesignerAuthoring and Dashboard components are at 12.0.11.3-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch10.1

ibmapp_connect_enterpriseMatch11.0

ibmapp_connect_enterpriseMatch11.1

ibmapp_connect_enterpriseMatch11.2

ibmapp_connect_enterpriseMatch11.3

CPENameOperatorVersion
ibm app connect enterpriseeq5.0
ibm app connect enterpriseeq10.1
ibm app connect enterpriseeq11.0
ibm app connect enterpriseeq11.1
ibm app connect enterpriseeq11.2
ibm app connect enterpriseeq11.3

Name	Operator	Version
ibm app connect enterprise	eq	5.0
ibm app connect enterprise	eq	10.1
ibm app connect enterprise	eq	11.0
ibm app connect enterprise	eq	11.1
ibm app connect enterprise	eq	11.2
ibm app connect enterprise	eq	11.3