Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999]

Summary

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service due to node.js module qs [CVE-2022-24999]. The vulnerability has been addressed

Vulnerability Details

CVEID:CVE-2022-24999
**DESCRIPTION:**Express.js Express is vulnerable to a denial of service, caused by a prototype pollution flaw in qs. By adding or modifying properties of Object.prototype using a proto or constructor payload, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus

Product(s)

|

Version(s)

|

APAR

|

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

|

v12.0.1.0 - v12.0.4.0

|

IT43350

|

The APAR IT43350 is available in fix pack 12.0.5.0

IBM App Connect Enterprise - 12.0.5.0

IBM App Connect Enterprise

|

v11.0.0.1 - v11.0.0.16

|

IT43350

|

The APAR IT43350 is available in fix pack 11.0.0.17

IBM App Connect Enterprise - 11.0.0.17

IBM Integration Bus

|

v10.1

|

IT43350

|

*See Workarounds and Mitigations

IBM Integration Bus

|

v10.0.0.0 - v10.0.0.26

|

IT43350

|

*See Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus

For IBM Integration Bus v10.1, v10.0.0.24 and subsequent v10.0 fix packs users can disable node js.

Refer to
''Disabling Node.js in IBM Integration Bus v10.1, v10.0.0.24 and subsequent v10.0 fix packs ’