Security Bulletin: IBM App Connect Enterprise Certified Container Dashboard operands may be vulnerable to Denial of Service due to CVE-2022-31770

Summary

IBM App Connect Enterprise Certified Container Dashboard operands can be caused to crash with a specially crafted request, resulting in the Dashboard becoming unavailable until the operand Pod restarts. This bulletin provides patch information to address the reported vulnerability CVE-2022-31770.

Vulnerability Details

CVEID:CVE-2022-31770
**DESCRIPTION:**IBM App Connect Enterprise Certified Container could allow a user from the administration console to cause a denial of service by creating a specially crafted request.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228221 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 4.2 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.0 or higher, and ensure that all Dashboard components are at 12.0.5.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 1.1 EUS (Extended Update Support) is not affected

Workarounds and Mitigations

None