Lucene search

IBMA3FAEB24F1C325D3F0D07AD953114AB5AA57A1CCB70A893622E9E45C30B57161

HistoryJun 05, 2024 - 2:55 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to denial of service [CVE-2024-22025]

2024-06-0514:55:36

www.ibm.com

ibm app connect enterprise

node.js

denial of service

vulnerability

patch

http calls

security bulletin

cve-2024-22025

upgrade

documentation

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

AI Score

5.6

Confidence

High

EPSS

Percentile

15.5%

JSON

Summary

Node.js is used by IBM App Connect Enterprise Certified Container as a runtime engine for processing data. IBM App Connect Enterprise Certified Container is vulnerable to denial of service when making HTTP calls using Node.js. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2024-22025]

Vulnerability Details

CVEID:CVE-2024-22025
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by a resource exhaustion flaw in fetch() brotli decoding . By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284417 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1
App Connect Enterprise Certified Container	8.2
App Connect Enterprise Certified Container	9.0
App Connect Enterprise Certified Container	9.1
App Connect Enterprise Certified Container	9.2
App Connect Enterprise Certified Container	10.0
App Connect Enterprise Certified Container	10.1
App Connect Enterprise Certified Container	11.0
App Connect Enterprise Certified Container	11.1
App Connect Enterprise Certified Container	11.2
App Connect Enterprise Certified Container	11.3
App Connect Enterprise Certified Container	11.4
App Connect Enterprise Certified Container	11.5

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 11.5.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 11.6.0 or higher, and ensure that all components are at 12.0.12.2-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.18 or higher, and ensure that all components are at 12.0.12.2-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

ibmapp_connect_enterpriseMatch9.1

ibmapp_connect_enterpriseMatch9.2

ibmapp_connect_enterpriseMatch10.0

ibmapp_connect_enterpriseMatch10.1

ibmapp_connect_enterpriseMatch11.0

ibmapp_connect_enterpriseMatch11.1

ibmapp_connect_enterpriseMatch11.2

ibmapp_connect_enterpriseMatch11.3

ibmapp_connect_enterpriseMatch11.4

ibmapp_connect_enterpriseMatch11.5

VendorProductVersionCPE
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.2cpe:2.3:a:ibm:app_connect_enterprise:7.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.0cpe:2.3:a:ibm:app_connect_enterprise:8.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.1cpe:2.3:a:ibm:app_connect_enterprise:8.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.2cpe:2.3:a:ibm:app_connect_enterprise:8.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.0cpe:2.3:a:ibm:app_connect_enterprise:9.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.1cpe:2.3:a:ibm:app_connect_enterprise:9.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.2cpe:2.3:a:ibm:app_connect_enterprise:9.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise10.0cpe:2.3:a:ibm:app_connect_enterprise:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*
ibm	app_connect_enterprise	7.2	cpe:2.3:a:ibm:app_connect_enterprise:7.2:::::::*
ibm	app_connect_enterprise	8.0	cpe:2.3:a:ibm:app_connect_enterprise:8.0:::::::*
ibm	app_connect_enterprise	8.1	cpe:2.3:a:ibm:app_connect_enterprise:8.1:::::::*
ibm	app_connect_enterprise	8.2	cpe:2.3:a:ibm:app_connect_enterprise:8.2:::::::*
ibm	app_connect_enterprise	9.0	cpe:2.3:a:ibm:app_connect_enterprise:9.0:::::::*
ibm	app_connect_enterprise	9.1	cpe:2.3:a:ibm:app_connect_enterprise:9.1:::::::*
ibm	app_connect_enterprise	9.2	cpe:2.3:a:ibm:app_connect_enterprise:9.2:::::::*
ibm	app_connect_enterprise	10.0	cpe:2.3:a:ibm:app_connect_enterprise:10.0:::::::*