Security Bulletin: IBM App Connect Enterprise Toolkit & IBM Integration Bus Toolkit are vulnerable to a remote attacker due to Apache Derby. (CVE-2022-46337)

Summary

IBM App Connect Enterprise Toolkit & IBM Integration Bus Toolkit are vulnerable to a remote attacker due to Apache Derby, which affects the Derby Sample Database in the toolkit. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2022-46337
**DESCRIPTION:**Apache Derby could allow a remote attacker to bypass security restrictions, caused by a LDAP injection vulnerability in authenticator. By sending a specially crafted request, an attacker could exploit this vulnerability to view and corrupt sensitive data and run sensitive database functions and procedures.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271915 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise Toolkit and IBM Integration Bus Toolkit

The APAR (IT45139) is available from

IBM App Connect Enterprise v12 - Fix Pack 12.0.11.1

IBM App Connect Enterprise| 11.0.0.1 - 11.0.0.24| IT45139| Interim Fix for APAR (IT45139) is available to apply to 11.0.0.24 from

IBM Fix Central
IBM Integration Bus| 10.1 - 10.1.0.2| IT45139| Interim Fix for APAR (IT45139) is available to apply to 10.1.0.2 from

IBM Fix Central

Workarounds and Mitigations

None