Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to multiple jsonwebtoken CVEs

Summary

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to jsonwebtoken (CVE-2022-23541, CVE-2022-23539, CVE-2022-23529, CVE-2022-23540). The resolving fix includes jsonwebtoken version 9.0.0. A mitigation is provided for IBM Integration Bus

Vulnerability Details

CVEID:CVE-2022-23541
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure implementation of key retrieval function. By sending a specially-crafted request, an attacker could exploit this vulnerability to forge Public/Private Tokens from RSA to HMAC.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242966 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-23539
**DESCRIPTION:**Auth0 jsonwebtoken could provide weaker than expected security, caused by an unrestricted key type issue. A remote authenticated attacker could exploit this vulnerability to allow legacy keys usage and launch further attacks on the system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242968 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N)

CVEID:CVE-2022-23529
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the jwt.verify function. By sending a specially-crafted request using the key retrieval parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242967 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-23540
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure default algorithm flaw in the jwt.verify() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass signature validation.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242969 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus

Interim fix for APAR (IT42894) is available in

IBM Fix Central

IBM App Connect Enterprise| v11.0.0.0 - v11.0.0.19| IT42894|

The APAR (IT42894) is available in fixpack 11.0.0.20

IBM App Connect Enterprise version v11 - Fixpack 11.0.0.20

IBM Integration Bus| v10.0.0.0 - v10.0.0.26| n/a|

• see Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below;

For IBM Integration Bus v10 v10.0.0.24 - v10.0.0.26 users can disable node js

Refer to

‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’