Lucene search

IBM986F55E094176309FEB8F67A412D6AB7E554F8E59C62A7FD930E7B24AF125754

HistoryJan 15, 2024 - 11:33 a.m.

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Node.js

2024-01-1511:33:57

www.ibm.com

ibm cloud pak

denial of service

vulnerability

node.js

cve-2023-44487

http/2

platform navigator

automation assets

upgrade

operator

ibm documentation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.6

Confidence

High

EPSS

0.816

Percentile

98.4%

JSON

Summary

Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to denial of service due to Node.js CVE-2023-44487.

Vulnerability Details

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
Platform Navigator in IBM Cloud Pak for Integration (CP4I)	2021.2.1
2021.4.1
2022.2.1
2022.4.1
2023.2.1
Automation Assets in IBM Cloud Pak for Integration (CP4I)	2021.2.1
2021.4.1
2022.2.1

Remediation/Fixes

Platform Navigator in IBM Cloud Pak for Integration

Upgrade Platform Navigator to either the LTS or CD version:

LTS: 2022.2.1-15 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=upgrading-platform-ui>

CD: 2023.4.1-0 using the Operator upgrade process described in the IBM Documentation
<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2023.4?topic=upgrading-platform-ui>

Automation Assets version****in IBM Cloud Pak for Integration

Upgrade Automation Assets Operator to 2022.2.1-15 using the Operator upgrade process described in the IBM Documentation

<https://www.ibm.com/docs/en/cloud-paks/cp-integration/2022.2?topic=capabilities-upgrading-automation-assets>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmcloud_pak_for_securityMatch2021.2.12021.4.12022.2.12022.4.12023.2.1

ibmcloud_pak_for_automationMatch2021.2.12021.4.12022.2.1

VendorProductVersionCPE
ibmcloud_pak_for_security2021.2.12021.4.12022.2.12022.4.12023.2.1cpe:2.3:a:ibm:cloud_pak_for_security:2021.2.12021.4.12022.2.12022.4.12023.2.1:*:*:*:*:*:*:*
ibmcloud_pak_for_automation2021.2.12021.4.12022.2.1cpe:2.3:a:ibm:cloud_pak_for_automation:2021.2.12021.4.12022.2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	cloud_pak_for_security	2021.2.12021.4.12022.2.12022.4.12023.2.1	cpe:2.3:a:ibm:cloud_pak_for_security:2021.2.12021.4.12022.2.12022.4.12023.2.1:::::::*
ibm	cloud_pak_for_automation	2021.2.12021.4.12022.2.1	cpe:2.3:a:ibm:cloud_pak_for_automation:2021.2.12021.4.12022.2.1:::::::*