Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a denial of service due to Eclipse Jetty (CVE-2024-22201)

Summary

IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit are vulnerable to a denial of service due to Eclipse Jetty. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-22201
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by a flaw when an HTTP/2 connection gets TCP congested. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the server to stop accepting new connections from valid clients, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise Toolkit and IBM Integration Bus for z/OS Toolkit

The APAR (IT45942) is available from

IBM App Connect Enterprise v12 - Mod Release 12.0.12.0

IBM App Connect Enterprise| 11.0.0.1 - 11.0.0.25| IT45942|

The APAR (IT45942) is available from

IBM App Connect Enterprise v11 - Fix Pack Release 11.0.0.26

IBM Integration Bus for z/OS| 10.1 - 10.1.0.3| IT45942|

Interim Fix for APAR (IT45942) is available to apply to 10.1.0.3 from

IBM Fix Central

Workarounds and Mitigations

None