CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
23.3%
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that run with designerFlowsOperationMode set to “all” would require an API Key to be defined for a cloud-hosted instance of IBM App Connect. If an OpenShift secret was not created manually for this API Key then the IBM App Connect Enterprise Certified Container operator would create the secret, but the name would include a hash based on the API Key. This used a weak hashing algorithm. This bulletin provides patch information to address the reported vulnerability CVE-2022-43922
CVEID:CVE-2022-43922
**DESCRIPTION:**IBM App Connect Enterprise Certified Container could disclose sensitive information to an attacker due to a weak hash of an API Key in the configuration.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241583 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 4.1 |
App Connect Enterprise Certified Container | 4.2 |
App Connect Enterprise Certified Container | 5.0-lts |
App Connect Enterprise Certified Container | 5.1 |
App Connect Enterprise Certified Container | 5.2 |
App Connect Enterprise Certified Container | 6.0 |
App Connect Enterprise Certified Container | 6.1 |
App Connect Enterprise Certified Container | 6.2 |
App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1 and 6.2 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 7.0.0 or higher, and ensure that all DesignerAuthoring components are at 12.0.7.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
If the DesignerAuthroing configuration includes the field “spec.ibmCloudAPIKey” and it is set to “ProvideAsASecretInIBMCloudAPIKeySecret” then delete the OpenShift secret referred to in “spec.ibmCloudAPIKeySecret”
Remove the following fields from the DesignerAuthoring definition:
App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)
Upgrade to App Connect Enterprise Certified Container Operator version 5.0.3 or higher, and ensure that all DesignerAuthoring components are at 12.0.7.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>
If the DesignerAuthroing configuration includes the field “spec.ibmCloudAPIKey” and it is set to “ProvideAsASecretInIBMCloudAPIKeySecret” then delete the OpenShift secret referred to in “spec.ibmCloudAPIKeySecret”
Remove the following fields from the DesignerAuthoring definition:
None
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
23.3%