Lucene search

K
ibmIBM413210A9243AFCB34B85C1D651CE55CB17B76674604FA6A47D40920DBB1C3E50
HistoryDec 06, 2023 - 1:46 p.m.

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl. (CVE-2023-38039)

2023-12-0613:46:44
www.ibm.com
7
ibm app connect enterprise
denial of service
curl libcurl
vulnerability
apar it45091

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

9.2 High

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

83.1%

Summary

The OpenTelemetry tracing in IBM App Connect Enterprise is vulnerable to a denial of service due to cURL libcurl. (CVE-2023-38039)

Vulnerability Details

CVEID:CVE-2023-38039
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by not limiting the number and size of headers accept in a response. By sending a specially crafted request, a remote attacker could exploit this vulnerability to run out of heap memory, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265946 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM App Connect Enterprise 12.0.7.0 - 12.0.10.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

Affected Product(s) Version(s) APAR Remediation / Fix
IBM App Connect Enterprise 12.0.7.0 - 12.0.10.0 IT45091

The APAR (IT45091) is available from

IBM App Connect Enterprise v12 - Fix Pack 12.0.10.1

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapp_connect_enterpriseRange12.0.7.0
OR
ibmapp_connect_enterpriseRange12.0.10.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

9.2 High

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

83.1%