Security Bulletin: Vulnerabilities in Node.js affect IBM App Connect Enterprise & IBM Integration Bus (CVE-2021-4160)

Summary

IBM App Connect Enterprise and IBM Integration Bus ship with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID:CVE-2021-4160
**DESCRIPTION:**OpenSSL could provide weaker than expected security, caused by a carry propagation flaw in the MIPS32 and MIPS64 squaring procedure. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 6.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218394 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by the applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise

Product(s)

|

Version(s)

|

APAR

|

Remediation/Fix/Instructions

—|—|—|—

IBM App Connect Enterprise

|

v12.0.1.0 - v12.0.3.0

|

IT40273

|

The APAR is available in fix pack 12.0.4.0 <https://www.ibm.com/support/pages/download-ibm-app-connect-enterprise-12040&gt;

IBM App Connect Enterprise

|

v11.0.0.0 - v11.0.0.16

|

IT40273

|

The APAR is available in fix pack 11.0.0.17

IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.17

IBM Integration Bus

|

v10.0.0.0 - v10.0.0.25

|

N/A

|

See section Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability now by executing these steps;

For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.25 users can disable node js.

Refer to
‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’