Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to several vulnerabilities in Node.js due to [CVE-2023-30581] [CVE-2023-30588] [CVE-2023-30589] [CVE-2023-30590]

Summary

Node.js is used by IBM App Connect Enterprise Certified Container as a runtime engine. IBM App Connect Enterprise Certified Container operands are vulnerable to bypassing of security restrictions, denial of service, HTTP request smuggling and faulty key generation. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2023-30581] [CVE-2023-30588] [CVE-2023-30589] [CVE-2023-30590]

Vulnerability Details

CVEID:CVE-2023-30590
**DESCRIPTION:**Node.js could provide weaker than expected security, caused by the failure to generate keys after setting a private key by the generateKeys() API function. By sending a specially crafted request, an attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-30588
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By accessing public key info of provided certificates from user code, an attacker could exploit this vulnerability to force interruptions of application processing and cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-30589
**DESCRIPTION:**Node.js is vulnerable to HTTP request smuggling, caused by the failure to strictly use the CRLF sequence to delimit HTTP requests by the llhttp parser in the http module. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID:CVE-2023-30581
**DESCRIPTION:**Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in process.mainModule.proto.require(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass experimental policy mechanism.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 9.1.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 9.2.0 or higher, and ensure that all components are at 12.0.9.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.10 or higher, and ensure that all components are at 12.0.9.0-r2-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None