Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29405]

Summary

The IBM App Connect Enterprise Certified Container operator is written in Golang Go, as are parts of the ace-server application. IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability in Golang Go. [CVE-2023-29405]

Vulnerability Details

CVEID:CVE-2023-29405
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by a flaw when running “go get” on a malicious module. By sending a specially crafted request using linker flags, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257655 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 9.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 9.1.0 or higher, and ensure that all components are at 12.0.9.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.9 or higher, and ensure that all components are at 12.0.9.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None