Lucene search

IBM704B40214F9A0AB05184F8943ED9C795F22AF1D35FBBD9053D95129B46FE6737

HistoryJun 20, 2024 - 3:46 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities due to IBM CICS Transaction Gateway (CVE-2023-50310, CVE-2023-50311)

2024-06-2015:46:29

www.ibm.com

ibm

app connect enterprise

integration bus

z/os

cics transaction gateway

vulnerabilities

authentication credentials

sensitive path information

fix

apar

interim fix

CVSS3

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

AI Score

Confidence

Low

JSON

Summary

IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to multiple vulnerabilities due to IBM CICS Transaction Gateway. This bulletin identifies the steps to take to address these vulnerabilities.

Vulnerability Details

CVEID:CVE-2023-50310
**DESCRIPTION:**IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. IBM X-Force ID: 273612.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-50311
**DESCRIPTION:**IBM CICS Transaction Gateway for Multiplatforms 9.2 and 9.3 could disclose sensitive path information to an attacker that could reveal through debugging or error messages. IBM X-Force ID: 273614.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/273614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise

12.0.1.0 - 12.0.12.2

IBM App Connect Enterprise|

11.0.0.1 - 11.0.0.25

IBM Integration Bus for z/OS|

10.1 - 10.1.0.3

Remediation/Fixes

**IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS **

Affected Product(s)

Version(s)

| APAR|

Remediation / Fixes

—|—|—|—
IBM App Connect Enterprise| 12.0.1.0 - 12.0.12.2| IT45884|

The APAR (IT45884) is available from

IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.3

IBM App Connect Enterprise| 11.0.0.1 - 11.0.0.25| IT45884|

The APAR (IT45884) is available from

IBM App Connect Enterprise v11- Fix Pack Release 11.0.0.26

IBM Integration Bus for z/OS| 10.1 - 10.1.0.3| IT45884|

Interim fix for APAR (IT45884) is available to apply to 10.1.0.3 from

IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.12.2

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.25

ibmintegration_busRange10.1≥

ibmintegration_busRange≤10.1.0.3

VendorProductVersionCPE
ibmapp_connect_enterprise*cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:*
ibmintegration_bus*cpe:2.3:a:ibm:integration_bus:*:*:*:*:*:*:*:*