Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation due to [CVE-2023-29403]

Summary

The IBM App Connect Enterprise Certified Container operator is written in Golang Go, as are parts of the ace-server application. IBM App Connect Enterprise Certified Container operator and operands are vulnerable to privilege escalation. This bulletin provides patch information to address the reported vulnerability in Golang Go. [CVE-2023-29403]

Vulnerability Details

CVEID:CVE-2023-29403
**DESCRIPTION:**Golang Go could allow a local authenticated attacker to gain elevated privileges on the system, caused by a flaw when a binary is run with the setuid/setgid bits. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges. to read or write contents of the registers.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257653 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 9.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 9.1.0 or higher, and ensure that all components are at 12.0.9.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.9 or higher, and ensure that all components are at 12.0.9.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None