Security Bulletin: IBM App Connect Enterprise v11 is affected by vulnerabilities in Node.js (CVE-2021-23358)

Summary

IBM App Connect Enterprise v11 ships with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.

Vulnerability Details

CVEID:CVE-2021-23358
**DESCRIPTION:**Node.js underscore module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the template function. By sending a specially-crafted argument using the variable property, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198958 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12

Remediation/Fixes

Product

|

VRMF

| APAR|

Remediation / Fix

—|—|—|—
IBM App Connect Enterprise| V11.0.0.0-V11.0.0.12| IT36988|

The APAR is available in fix pack 11.0.0.13

IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.13

Workarounds and Mitigations

For IBM Integration Bus v10 V10.0.0.24 users can disable node js. Refer to
‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’