Lucene search

IBM8BFB4D67F23249DE5A4067C5F6588E8121DD5FEE26380A4CBD9659E3E999822E

HistoryJun 30, 2023 - 9:29 a.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to the module xml2js (CVE-2023-0842)

2023-06-3009:29:30

www.ibm.com

ibm

app connect enterprise

integration bus

remote attacker

module

xml2js

cve-2023-0842

vulnerability

fix pack

version

it43550

ibm fix central

fix pack 11.0.0.21

disabling node.js

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

39.4%

JSON

Summary

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to the module xml2js (CVE-2023-0842). The latest Fix Pack includes xml2js version 5.0

Vulnerability Details

CVEID:CVE-2023-0842
**DESCRIPTION:**xml2js could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252153 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.8.0
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.20
IBM Integration Bus	10.1
IBM Integration Bus	10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus

Product(s)	Version(s)	APAR	Remediation / Fix
IBM App Connect Enterprise	v12.0.1.0 - v12.0.8.0	IT43550

Interim fix for APAR (IT43550) is available to apply to 12.0.8.0 from

IBM Fix Central

IBM App Connect Enterprise| v11.0.0.1 - v11.0.0.20| IT43550|

The APAR (IT43550) is available from

IBM App Connect Enterprise v11 - Fix Pack 11.0.0.21

IBM Integration Bus| v10.1| IT43550| *See Workarounds & Mitigations
IBM Integration Bus| v10.0.0.0 - v10.0.0.26| IT43550| *See Workarounds & Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus

For IBM Integration Bus v10.1, v10.0.0.24 and subsequent v10.0 fix packs users can disable node js.

Refer to
''Disabling Node.js in IBM Integration Bus v10.1, v10.0.0.24 and subsequent v10.0 fix packs ’

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.8.0

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.20

ibmintegration_busMatch10.1

ibmintegration_busRange10.0.0.0≥

ibmintegration_busRange≤10.0.0.26

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.8.0
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.20
ibm integration buseq10.1
ibm integration busge10.0.0.0
ibm integration busle10.0.0.26

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.8.0
ibm app connect enterprise	ge	11.0.0.1
ibm app connect enterprise	le	11.0.0.20
ibm integration bus	eq	10.1
ibm integration bus	ge	10.0.0.0
ibm integration bus	le	10.0.0.26