8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
33.6%
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote attacker due to jsonwebtoken (CVE-2022-23541, CVE-2022-23539, CVE-2022-23529, CVE-2022-23540). The resolving fix includes jsonwebtoken version 9.0.0. A mitigation is provided for IBM Integration Bus
CVEID:CVE-2022-23541
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure implementation of key retrieval function. By sending a specially-crafted request, an attacker could exploit this vulnerability to forge Public/Private Tokens from RSA to HMAC.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242966 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2022-23539
**DESCRIPTION:**Auth0 jsonwebtoken could provide weaker than expected security, caused by an unrestricted key type issue. A remote authenticated attacker could exploit this vulnerability to allow legacy keys usage and launch further attacks on the system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242968 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N)
CVEID:CVE-2022-23529
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to execute arbitrary code on the system, caused by improper input validation by the jwt.verify function. By sending a specially-crafted request using the key retrieval parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242967 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-23540
**DESCRIPTION:**Auth0 jsonwebtoken could allow a remote authenticated attacker to bypass security restrictions, caused by an insecure default algorithm flaw in the jwt.verify() function. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass signature validation.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242969 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.7.0 |
IBM App Connect Enterprise | 11.0.0.0 - 11.0.0.19 |
IBM Integration Bus | 10.0.0.0 - 10.0.0.26 |
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus
Product(s) | Version(s) | APAR | Remediation / Fix |
---|---|---|---|
IBM App Connect Enterprise | v12.0.1.0 - v12.0.7.0 | IT42894 |
Interim fix for APAR (IT42894) is available in
IBM App Connect Enterprise| v11.0.0.0 - v11.0.0.19| IT42894|
The APAR (IT42894) is available in fixpack 11.0.0.20
IBM App Connect Enterprise version v11 - Fixpack 11.0.0.20
IBM Integration Bus| v10.0.0.0 - v10.0.0.26| n/a|
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below;
For IBM Integration Bus v10 v10.0.0.24 - v10.0.0.26 users can disable node js
Refer to
‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
33.6%