IBM Integration Bus is vulnerable to arbitrary code execution due to Node.js ejs module. Mitigation steps to disable node.js have been recommended. (CVE-2022-29078)
CVEID:CVE-2022-29078
**DESCRIPTION:**Node.js ejs module could allow a remote attacker to execute arbitrary code on the system, caused by a server-side template injection flaw in settings[view options][outputFunctionName]. By sending a specially-crafted HTTP request to overwrites the outputFunctionName option with an arbitrary OS command, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Integration Bus | 10.0.0.0 - 10.0.0.26 |
refer to Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability now by executing the following steps to IBM Integration Bus
For IBM Integration Bus v10 10.0.0.0 - 10.0.0.26 users can disable node.js
Refer to
โDisabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packsโ
CPE | Name | Operator | Version |
---|---|---|---|
ibm integration bus | ge | 10.0.0.0 | |
ibm integration bus | le | 10.0.0.26 |