Lucene search

IBM57932B345E5BF17185D5E8546189C976C1E43845C301E94E0517DAC443311BCD

HistoryJul 27, 2023 - 3:56 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery due to [CVE-2023-28155]

2023-07-2715:56:54

www.ibm.com

ibm

app connect enterprise

ssrf

cve-2023-28155

node.js

request module

vulnerability

patch

upgrade

server-side request forgery

container operands

fix

lts

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

45.6%

JSON

Summary

Node.js module Request is used by IBM App Connect Enterprise Certified Container operands for both internal and external HTTP calls. IBM App Connect Enterprise Certified Container operands are vulnerable to server-side request forgery. This bulletin provides patch information to address the reported vulnerability in Node.js module Request. [CVE-2023-28155]

Vulnerability Details

CVEID:CVE-2023-28155
**DESCRIPTION:**Node.js Request module is vulnerable to server-side request forgery, caused by a cross-protocol redirect bypass flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250386 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	4.1
App Connect Enterprise Certified Container	4.2
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	5.1
App Connect Enterprise Certified Container	5.2
App Connect Enterprise Certified Container	6.0
App Connect Enterprise Certified Container	6.1
App Connect Enterprise Certified Container	6.2
App Connect Enterprise Certified Container	7.0
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1
App Connect Enterprise Certified Container	8.2
App Connect Enterprise Certified Container	9.0

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 9.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 9.1.0 or higher, and ensure that all components are at 12.0.9.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.9 or higher, and ensure that all components are at 12.0.9.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch4.1

ibmapp_connect_enterpriseMatch4.2

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch5.1

ibmapp_connect_enterpriseMatch5.2

ibmapp_connect_enterpriseMatch6.0

ibmapp_connect_enterpriseMatch6.1

ibmapp_connect_enterpriseMatch6.2

ibmapp_connect_enterpriseMatch7.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

VendorProductVersionCPE
ibmapp_connect_enterprise4.1cpe:2.3:a:ibm:app_connect_enterprise:4.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise4.2cpe:2.3:a:ibm:app_connect_enterprise:4.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.1cpe:2.3:a:ibm:app_connect_enterprise:5.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.2cpe:2.3:a:ibm:app_connect_enterprise:5.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.0cpe:2.3:a:ibm:app_connect_enterprise:6.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.1cpe:2.3:a:ibm:app_connect_enterprise:6.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.2cpe:2.3:a:ibm:app_connect_enterprise:6.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.0cpe:2.3:a:ibm:app_connect_enterprise:7.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	4.1	cpe:2.3:a:ibm:app_connect_enterprise:4.1:::::::*
ibm	app_connect_enterprise	4.2	cpe:2.3:a:ibm:app_connect_enterprise:4.2:::::::*
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	5.1	cpe:2.3:a:ibm:app_connect_enterprise:5.1:::::::*
ibm	app_connect_enterprise	5.2	cpe:2.3:a:ibm:app_connect_enterprise:5.2:::::::*
ibm	app_connect_enterprise	6.0	cpe:2.3:a:ibm:app_connect_enterprise:6.0:::::::*
ibm	app_connect_enterprise	6.1	cpe:2.3:a:ibm:app_connect_enterprise:6.1:::::::*
ibm	app_connect_enterprise	6.2	cpe:2.3:a:ibm:app_connect_enterprise:6.2:::::::*
ibm	app_connect_enterprise	7.0	cpe:2.3:a:ibm:app_connect_enterprise:7.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*