Security Bulletin: IBM App Connect Enterprise Certified Container operator and IntegrationServer operands may be vulnerable to loss of confidentiality due to CVE-2022-32190

Summary

The IBM App Connect Enterprise Certified Container operator and IntegrationServer operands utilise Golang Go. The IBM App Connect Enterprise Certified Container operator and IntegrationServer operands may be vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability CVE-2022-32190 in Golang Go.

Vulnerability Details

CVEID:CVE-2022-32190
**DESCRIPTION:**Golang Go could allow a remote attacker to traverse directories on the system, caused by not remove …/ path elements appended to a relative path in JoinPath and URL.JoinPath. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236126 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1 and 5.2 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 6.0.0 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.5.0-r4 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.1 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.6.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None