IBM417812B54C011FC54685A9E28AE60507821A9C52ACE3B969F1445DE45F570EFASecurity Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality and denial of service due to [CVE-2023-46809] [CVE-2024-21892] [CVE-2024-22019]
Summary
Node.js is used by IBM App Connect Enterprise Certified Container as one of the main runtimes. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality and denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2023-46809] [CVE-2024-21892] [CVE-2024-22019]
Vulnerability Details
CVEID:CVE-2023-46809
**DESCRIPTION:**Node.js could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the privateDecrypt() API of the crypto library. An attacker could exploit this vulnerability to conduct a covert timing side-channel during PKCS#1 v1.5 padding error handling and obtain significant timing differences in decryption for valid and invalid ciphertexts.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2024-21892
**DESCRIPTION:**Node.js could allow a local authenticated attacker to gain elevated privileges on the system, caused by a bug in the implementation of the exception of CAP_NET_BIND_SERVICE. An attacker could exploit this vulnerability to inject code that inherits the process’s elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282986 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2024-22019
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282988 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| App Connect Enterprise Certified Container | 5.0-lts |
| App Connect Enterprise Certified Container | 7.1 |
| App Connect Enterprise Certified Container | 7.2 |
| App Connect Enterprise Certified Container | 8.0 |
| App Connect Enterprise Certified Container | 8.1 |
| App Connect Enterprise Certified Container | 8.2 |
| App Connect Enterprise Certified Container | 9.0 |
| App Connect Enterprise Certified Container | 9.1 |
| App Connect Enterprise Certified Container | 9.2 |
| App Connect Enterprise Certified Container | 10.0 |
| App Connect Enterprise Certified Container | 10.1 |
| App Connect Enterprise Certified Container | 11.0 |
| App Connect Enterprise Certified Container | 11.1 |
| App Connect Enterprise Certified Container | 11.2 |
| App Connect Enterprise Certified Container | 11.3 |
| App Connect Enterprise Certified Container | 11.4 |
Remediation/Fixes
IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 11.4.0 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 11.5.0 or higher, and ensure that all components are at 12.0.12.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)
Upgrade to App Connect Enterprise Certified Container Operator version 5.0.17 or higher, and ensure that all components are at 12.0.12.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>
Workarounds and Mitigations
None
Related
8.3 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
14.8%