Security Bulletin: Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise (CVE-2019-1551)

Summary

Vulnerabilities in OpenSSL affect IBM Integration Bus and IBM App Connect Enterprise . The DataDirect ODBC Drivers and level of node js used by IBM App Connect Enterprise and IBM Integration Bus have addressed the applicable CVEs

Vulnerability Details

CVEID:CVE-2019-1551
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by an overflow in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli. By performing a man-in-the-middle attack, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/172752 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

IBM App Connect V11.0.0.0 - V11.0.0.8

IBM Integration Bus V10.0.0.0 -V10.0.0.21

IBM Integration Bus V9.0.0.0 - V9.0.0.11

Remediation/Fixes

Product

|

VRMF

| APAR |

Remediation / Fix

—|—|—|—
IBM App Connect | V11.0.0.0-V11.0.0.8 | IT32544,IT31649 |

The APAR is available in fix pack 11.0.0.9

IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.9

IBM Integration Bus | V10.0.0.0 - V10.0.0.21 | IT32544,IT31649 |

The APAR is available in fix pack 10.0.0.22

IBM Integration Bus V10.0 - Fix Pack 10.0.0.22

IBM Integration Bus | V9.0.0.0 - V9.0.0.11 | IT32544,IT31649 |

Contact IBM support to request for Fix APAR

IBM Integration Bus V9_ is no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _
If you are a customer with extended support and require a fix, contact IBM support.

_IT31649 which addresses the vulnerabilities in DataDirect ODBC Drivers used by IBM App Connect and IBM Integration Bus , is also resolved in 10.0.0.20 & 11.0.0.8. _

Workarounds and Mitigations

None