IBM43409803F4A3124128BAD51E36C6660374476F87982D2D0931C33095488A8E34Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServers that use Designer flows may be vulnerable to loss of confidentiality due to CVE-2022-24771
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
25.7%
Summary
Node.js module node-forge is used by IBM App Connect Enterprise Certified Container by the connectors in a Designer flow to communicate with the connected SaaS application. IBM App Connect Enterprise Certified Container IntegrationServers that run Designer flows containing connectors may be vulnerable to CVE-2022-24771. This bulletin provides patch information to address the reported vulnerability CVE-2022-24771 in node-forge.
Vulnerability Details
CVEID:CVE-2022-24771
**DESCRIPTION:**Node.js node-forge module could allow a remote attacker to bypass security restrictions, caused by improper signature verification when checking the digestAlgorithm structure. By using a specially-crafted structure to steal padding bytes and uses unchecked portion of the PKCS#1 encoded message, an attacker could exploit this vulnerability to forge a signature when a low public exponent is being used.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222172 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| App Connect Enterprise Certified Container | 1.1-eus with Operator |
| App Connect Enterprise Certified Container | 1.5 with Operator |
| App Connect Enterprise Certified Container | 2.0 with Operator |
| App Connect Enterprise Certified Container | 2.1 with Operator |
| App Connect Enterprise Certified Container | 3.0 with Operator |
| App Connect Enterprise Certified Container | 3.1 with Operator |
Remediation/Fixes
App Connect Enterprise Certified Container 1.5, 2.0, 2.1, 3.0 and 3.1 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 4.0.0 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.3.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support)
Upgrade to App Connect Enterprise Certified Container Operator version 1.1.7 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 11.0.0.16-r1-eus or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_eus?topic=releases-upgrading-operator>
Workarounds and Mitigations
None
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
25.7%