Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to multiple openSSL vulnerabilities in Node.js (CVE-2022-1434, CVE-2022-1343, CVE-2022-1473)

Summary

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a man-in-the-middle attack, remote attacker bypassing security restrictions and denial of service due to openSSL vulnerabilities in Node.js (CVE-2022-1434, CVE-2022-1343, CVE-2022-1473). IBM App Connect provides a fix/fix pack including openSSL 1.1.1o. Mitigation steps to disable node.js have been recommended for IBM Integration Bus

Vulnerability Details

CVEID:CVE-2022-1434
**DESCRIPTION:**OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of the AAD data as the MAC key in the RC4-MD5 ciphersuite. A remote attacker could exploit this vulnerability to predict the MAC key and launch a man-in-the-middle attack and gain access to the communication channel between endpoints to modify data in transit in such a way that it will pass a MAC integrity check.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2022-1343
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a incorrect verification of response signing certificates by the OCSP_basic_verify function. By sending a specially-crafted request using the OCSP_NOCHECKS flag, an attacker could exploit this vulnerability to forge positive verification results.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-1473
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a resource leakage when decoding certificates and keys by the OPENSSL_LH_flush() function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225616 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

**IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and mitigation to IBM Integration Bus **

10.0.0.0 - 10.0.0.26

(Linux x86-64 and Windows x86-64 only)

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

This APAR is available in fix pack 12.0.5.0

IBM App Connect Enterprise Version v12 - Fix Pack 12.0.5.0

IBM App Connect Enterprise| 11.0.0.0 - 11.0.0.18| IT41231|

This apar is available as an ifix from

Fix Central

IBM Integration Bus| 10.0.0.0 - 10.0.0.26| | see section Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below

For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node js

Refer to ‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’