Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise and IBM Integration Bus

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition used by IBM App Connect Enterprise and IBM Integration Bus. These issues were disclosed as part of the IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022 (includes Oracle April 2022 CPU). The fix includes IBM Java SDK 8.0.7.11

Vulnerability Details

CVEID:CVE-2021-35561
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Utility component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/211637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21299
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JAXP component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217594 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21496
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224777 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21434
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2022-21443
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224726 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)

|

Version(s)

—|—

IBM App Connect Enterprise

|

12.0.1.0 - 12.0.5.0

IBM App Connect Enterprise

|

11.0.0.0 - 11.0.0.18

IBM Integration Bus

|

10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus

Product(s)

|

Version(s)

|

APAR

|

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

|

v12.0.1.0 - v12.0.5.0

|

IT41711

|

The APAR (IT41711) is available in fixpack 12.0.6.0

IBM App Connect Enterprise -12.0.6.0

IBM App Connect Enterprise

|

v11.0.0.0 - v11.0.0.18

|

IT41711

|

The APAR (IT41711) is available in fixpack 11.0.0.19

IBM App Connect Enterprise -11.0.0.19

IBM Integration Bus

|

v10.0.0.0 - v10.0.0.26

|

IT41711

|

Interim fix for APAR (IT41711) is available from

IBM Fix Central - Interim fix available to apply to 10.0.0.26

Workarounds and Mitigations

none