Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM5B0090FD2F9C31B1AAD8132D77F2F3A9BAFFC62B4D89F4FF59E14ABE175A3067
HistorySep 11, 2023 - 4:26 p.m.

Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115]

2023-09-1116:26:35
www.ibm.com
29
ibm app connect enterprise
remote attack
denial of service
node.js modules
protobuf.js
word-wrap
vm2 removal
cve-2023-36665
cve-2023-37903
cve-2023-37466
cve-2023-26115
vulnerability
fix
updated
it44228

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

71.6%

JSON

Summary

IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115]. The fix includes protobuf.js >=7.2.4, word-wrap >=1.2.5 and vm2 has been removed from the product.

Vulnerability Details

CVEID:CVE-2023-36665
**DESCRIPTION:**protobuf.js could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially crafted message, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259737 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-37903
**DESCRIPTION:**Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the custom inspect function. By sending a specially crafted request, an attacker could exploit this vulnerability to escape the sandbox and execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/261385 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-37466
**DESCRIPTION:**Node.js vm2 module could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox escape flaw in the Promise handler. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260831 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-26115
**DESCRIPTION:**Node.js word-wrap module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the result variable. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256901 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM App Connect Enterprise 12.0.1.0 - 12.0.9.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

Affected Product(s) Version(s) APAR Remediation / Fixes
IBM App Connect Enterprise 12.0.1.0 - 12.0.9.0 IT44228

Interim fix for APAR (IT44228) is available to apply to 12.0.9.0 from

IBM Fix Central

Workarounds and Mitigations

None

Related

ibm 22
osv 9
github 5
openvas 1
redhat 12
redhatcve 4
prion 4
githubexploit 1
veracode 3
cve 4
cvelist 4
exploitdb 1
packetstorm 1
zdt 1
nessus 2
ibm
ibm
Security Bulletin: IBM Instana Observability for Synthetic PoP is affected by vulnerabilities in vm2
2024-03-15 13:58:17
Security Bulletin: IBM App Connect Enterprise Certified Container operands that use the Box or Snowflake connectors are vulnerable to arbitrary code execution due to [CVE-2023-37466], [CVE-2023-37903]
2023-08-24 15:07:58
Security Bulletin: protobuf.js component is vulnerable which is used by IBM Maximo Application Suite [CVE-2023-36665]
2023-08-29 21:00:33
osv
osv
vm2 Sandbox Escape vulnerability
2023-07-13 17:01:58
CVE-2023-26115
2023-06-22 05:15:09
CVE-2023-37903
2023-07-21 20:15:16
github
github
vm2 Sandbox Escape vulnerability
2023-07-13 17:01:58
vm2 Sandbox Escape vulnerability
2023-07-13 17:02:02
word-wrap vulnerable to Regular Expression Denial of Service
2023-06-22 06:30:18
openvas
openvas
vm2 <= 3.9.19 Multiple Sandbox Escape Vulnerabilities (Jul 2023)
2023-07-14 00:00:00
redhat
redhat
(RHSA-2023:4862) Critical: Multicluster Engine for Kubernetes 2.3.1 security updates and bug fixes
2023-08-29 14:04:31
(RHSA-2023:7681) Important: OpenShift Container Platform 4.14.6 security and extras update
2023-12-12 09:33:04
(RHSA-2023:4875) Critical: Red Hat Advanced Cluster Management 2.8.1 security and bug fix updates
2023-08-30 13:16:37
redhatcve
redhatcve
CVE-2023-36665
2023-07-10 10:24:43
CVE-2023-37903
2023-07-25 08:51:18
CVE-2023-37466
2023-08-16 15:21:33
prion
prion
Remote code execution
2023-07-14 00:15:00
Remote code execution
2023-07-21 20:15:00
Design/Logic Flaw
2023-06-22 05:15:00
githubexploit
githubexploit
Exploit for OS Command Injection in Vm2 Project Vm2
2023-11-05 11:23:15
veracode
veracode
Prototype Pollution
2023-07-06 09:09:49
Sandbox Escape
2023-07-14 02:38:41
Regular Expression Denial Of Service (ReDoS)
2023-06-29 07:13:31
cve
cve
CVE-2023-37903
2023-07-21 20:15:16
CVE-2023-37466
2023-07-14 00:15:09
CVE-2023-26115
2023-06-22 05:15:09
cvelist
cvelist
Sandbox Escape in vm2
2023-07-21 19:42:09
vm2 Sandbox Escape vulnerability
2023-07-13 23:17:51
CVE-2023-26115
2023-06-22 05:00:01
exploitdb
exploitdb
vm2 - sandbox escape
2024-03-16 00:00:00
packetstorm
packetstorm
vm2 3.9.19 Sandbox Escape
2024-03-18 00:00:00
zdt
zdt
vm2 - Sandbox Escape Exploit
2024-03-18 00:00:00
nessus
nessus
Fedora 39 : magicmirror (2023-3a06c965b4)
2023-11-07 00:00:00
IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)
2024-04-25 00:00:00

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

71.6%

JSON
Related for 5B0090FD2F9C31B1AAD8132D77F2F3A9BAFFC62B4D89F4FF59E14ABE175A3067
ibm22osv9github5openvas1redhat12redhatcve4prion4githubexploit1veracode3cve4cvelist4exploitdb1packetstorm1zdt1nessus2