Lucene search

K
ibmIBM454A29DA4FDC42B8F6E59002DC2DF2AEAB2CE33EF4FEF605B9A75489510C3522
HistoryApr 28, 2023 - 11:51 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to security restriction bypasss due to [CVE-2023-23918]

2023-04-2811:51:00
www.ibm.com
23
ibm app connect container
cve-2023-23918
node.js
security restriction bypass
vulnerability
patch
upgrade
documentation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

53.6%

Summary

Node.js is used as a runtime engine by IBM App Connect Enterprise Certified Container. If an IBM App Connect Enterprise Certified Container image is extended to run custom Node.js applications, it may be vulnerable to security restriction bypasss. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2023-23918]

Vulnerability Details

**CVEID:**CVE-2023-23918 DESCRIPTION: Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw when enable the experimental permissions option with --experimental-policy. By sending a specially-crafted request using process.mainModule.require(), an attacker could exploit this vulnerability to bypass Permissions and access non authorized modules.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247698 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 4.1
App Connect Enterprise Certified Container 4.2
App Connect Enterprise Certified Container 5.0-lts
App Connect Enterprise Certified Container 5.1
App Connect Enterprise Certified Container 5.2
App Connect Enterprise Certified Container 6.0
App Connect Enterprise Certified Container 6.1
App Connect Enterprise Certified Container 6.2
App Connect Enterprise Certified Container 7.0
App Connect Enterprise Certified Container 7.1
App Connect Enterprise Certified Container 7.2
App Connect Enterprise Certified Container 8.0

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 8.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 8.1.0 or higher, and ensure that all components are at 12.0.8.0-r1 or higher. Documentation on the upgrade process is available at https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.6 or higher, and ensure that all components are at 12.0.8.0-r1-lts or higher. Documentation on the upgrade process is available at https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapp_connect_enterpriseMatch4.1
OR
ibmapp_connect_enterpriseMatch4.2
OR
ibmapp_connect_enterpriseMatch5.0
OR
ibmapp_connect_enterpriseMatch5.1
OR
ibmapp_connect_enterpriseMatch5.2
OR
ibmapp_connect_enterpriseMatch6.0
OR
ibmapp_connect_enterpriseMatch6.1
OR
ibmapp_connect_enterpriseMatch6.2
OR
ibmapp_connect_enterpriseMatch7.0
OR
ibmapp_connect_enterpriseMatch7.1
OR
ibmapp_connect_enterpriseMatch7.2
OR
ibmapp_connect_enterpriseMatch8.0
VendorProductVersionCPE
ibmapp_connect_enterprise4.1cpe:2.3:a:ibm:app_connect_enterprise:4.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise4.2cpe:2.3:a:ibm:app_connect_enterprise:4.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.1cpe:2.3:a:ibm:app_connect_enterprise:5.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.2cpe:2.3:a:ibm:app_connect_enterprise:5.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.0cpe:2.3:a:ibm:app_connect_enterprise:6.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.1cpe:2.3:a:ibm:app_connect_enterprise:6.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.2cpe:2.3:a:ibm:app_connect_enterprise:6.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.0cpe:2.3:a:ibm:app_connect_enterprise:7.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*
Rows per page:
1-10 of 121

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

7.5

Confidence

High

EPSS

0.002

Percentile

53.6%