Lucene search

K
ibmIBM55A31FD91781DC3EA3058F20217490B4ABE4F977D92AEEE2930DA2EF4F6620D9
HistoryMar 03, 2023 - 3:29 p.m.

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to CVE-2022-43548 in Node.js

2023-03-0315:29:03
www.ibm.com
29
ibm cloud pak
vulnerability
node.js
platform navigator
automation assets
upgrade
operator
ibm documentation

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.006

Percentile

79.7%

Summary

Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to CVE-2022-43548 in Node.js with details below.

Vulnerability Details

**CVEID:**CVE-2022-43548 DESCRIPTION: Node.js could allow a remote attacker to execute arbitrary commands on the system, caused by an insufficient IsAllowedHost check. By sending a specially-crafted DBS request using an invalid octal address, an attacker could exploit this vulnerability to conduct a DNS rebinding attack and execute arbitrary commands on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241552 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
Platform Navigator in IBM Cloud Pak for Integration (CP4I) 2021.1.1
2021.2.1
2021.4.1
2022.2.1
2022.4.1
Automation Assets in IBM Cloud Pak for Integration (CP4I) 2021.1.1
2021.2.1
2021.4.1
2022.2.1

Remediation/Fixes

Platform Navigator in IBM Cloud Pak for Integration

Upgrade Platform Navigator to either the LTS or CD version:

LTS: 2022.2.1-6 using the Operator upgrade process described in the IBM Documentation

https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=upgrading-platform-ui

CD: 2022.4.1-1 using the Operator upgrade process described in the IBM Documentation
https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.4?topic=upgrading-platform-ui

Automation Assets version****in IBM Cloud Pak for Integration

Upgrade Automation Assets Operator to 2022.2.1-5 using the Operator upgrade process described in the IBM Documentation

https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-automation-assets

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmcloud_pak_for_securityMatch2021.1.12021.2.12021.4.12022.2.12022.4.1
OR
ibmcloud_pak_for_automationMatch2021.1.12021.2.12021.4.12022.2.1
VendorProductVersionCPE
ibmcloud_pak_for_security2021.1.12021.2.12021.4.12022.2.12022.4.1cpe:2.3:a:ibm:cloud_pak_for_security:2021.1.12021.2.12021.4.12022.2.12022.4.1:*:*:*:*:*:*:*
ibmcloud_pak_for_automation2021.1.12021.2.12021.4.12022.2.1cpe:2.3:a:ibm:cloud_pak_for_automation:2021.1.12021.2.12021.4.12022.2.1:*:*:*:*:*:*:*

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.3

Confidence

High

EPSS

0.006

Percentile

79.7%