Lucene search

IBM81845D985614EE90C43B13F3AC9C583B4FA241303BEAEB85F9D52492FCE98327

HistorySep 03, 2024 - 9:42 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container UBI updates

2024-09-0309:42:53

www.ibm.com

ibm app connect enterprise

cve-2024-21131

cve-2024-21138

cve-2024-21140

cve-2024-21144

cve-2024-21145

cve-2024-21147

red hat universal base images

container

lts

java se

vm component

confi

CVSS3

7.4

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

AI Score

6.6

Confidence

Low

JSON

Summary

IBM App Connect Enterprise Certified Container (ACEcc) is built on the Red Hat Universal Base Images. ACEcc operator versions 5.0.20 (LTS), 12.0.3 (LTS) and 12.3.0 contain fixes to the listed CVEs found in the base images. This bulletin provides patch information to address the reported vulnerabilities.

Vulnerability Details

CVEID:CVE-2024-21131
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298464 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2024-21138
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause a low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298465 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-21140
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality, low integrity impacts.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298466 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2024-21144
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Concurrency component could allow a remote attacker to cause low availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298470 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-21145
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the 2D component could allow a remote attacker to cause low confidentiality, low integrity impacts.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298467 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2024-21147
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high integrity impacts.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/298469 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1
App Connect Enterprise Certified Container	8.2
App Connect Enterprise Certified Container	9.0
App Connect Enterprise Certified Container	9.1
App Connect Enterprise Certified Container	9.2
App Connect Enterprise Certified Container	10.0
App Connect Enterprise Certified Container	10.1
App Connect Enterprise Certified Container	11.0
App Connect Enterprise Certified Container	11.1
App Connect Enterprise Certified Container	11.2
App Connect Enterprise Certified Container	11.3
App Connect Enterprise Certified Container	11.4
App Connect Enterprise Certified Container	11.5
App Connect Enterprise Certified Container	11.6
App Connect Enterprise Certified Container	12.0-sc2
App Connect Enterprise Certified Container	12.1
App Connect Enterprise Certified Container	12.2

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 12.2.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 12.3.0 or higher, and ensure that all components are at 12.0.12.5-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 12.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 12.0.3 or higher, and ensure that all components are at 12.0.12-r3 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/12.0?topic=umfpr-upgrading-operator-releases>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.20 or higher, and ensure that all components are at 12.0.12.4-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

ibmapp_connect_enterpriseMatch9.1

ibmapp_connect_enterpriseMatch9.2

ibmapp_connect_enterpriseMatch10.0

ibmapp_connect_enterpriseMatch10.1

ibmapp_connect_enterpriseMatch11.0

ibmapp_connect_enterpriseMatch11.1

ibmapp_connect_enterpriseMatch11.2

ibmapp_connect_enterpriseMatch11.3

ibmapp_connect_enterpriseMatch11.4

ibmapp_connect_enterpriseMatch11.5

ibmapp_connect_enterpriseMatch11.6

ibmapp_connect_enterpriseMatch12.0

ibmapp_connect_enterpriseMatch12.1

ibmapp_connect_enterpriseMatch12.2

VendorProductVersionCPE
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.2cpe:2.3:a:ibm:app_connect_enterprise:7.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.0cpe:2.3:a:ibm:app_connect_enterprise:8.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.1cpe:2.3:a:ibm:app_connect_enterprise:8.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.2cpe:2.3:a:ibm:app_connect_enterprise:8.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.0cpe:2.3:a:ibm:app_connect_enterprise:9.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.1cpe:2.3:a:ibm:app_connect_enterprise:9.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.2cpe:2.3:a:ibm:app_connect_enterprise:9.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise10.0cpe:2.3:a:ibm:app_connect_enterprise:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*
ibm	app_connect_enterprise	7.2	cpe:2.3:a:ibm:app_connect_enterprise:7.2:::::::*
ibm	app_connect_enterprise	8.0	cpe:2.3:a:ibm:app_connect_enterprise:8.0:::::::*
ibm	app_connect_enterprise	8.1	cpe:2.3:a:ibm:app_connect_enterprise:8.1:::::::*
ibm	app_connect_enterprise	8.2	cpe:2.3:a:ibm:app_connect_enterprise:8.2:::::::*
ibm	app_connect_enterprise	9.0	cpe:2.3:a:ibm:app_connect_enterprise:9.0:::::::*
ibm	app_connect_enterprise	9.1	cpe:2.3:a:ibm:app_connect_enterprise:9.1:::::::*
ibm	app_connect_enterprise	9.2	cpe:2.3:a:ibm:app_connect_enterprise:9.2:::::::*
ibm	app_connect_enterprise	10.0	cpe:2.3:a:ibm:app_connect_enterprise:10.0:::::::*