Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2021-44906)

Summary

IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to the node.js minimist module ( CVE-2021-44906). A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes minimist 1.2.6

Vulnerability Details

CVEID:CVE-2021-44906
**DESCRIPTION:**Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

This APAR is available in fix pack 12.0.4.0

IBM App Connect Enterprise Version v12 - Fix Pack 12.0.4.0

IBM App Connect Enterprise| 11.0.0.0 - 11.0.0.17| IT41332|

This APAR is available in fix pack 11.0.0.18

IBM App Connect Enterprise Version v11 - Fix Pack 11 .0.0.18

IBM Integration Bus| | | see section Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below

For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node.js

Refer to ‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’