Lucene search

K
ibmIBMB1D76C00C3AF9154CC96455A591C23D896A5218230CB2BCC12B95C3B8C3AF8F9
HistoryJan 26, 2023 - 11:46 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that run with designerFlowsOperationMode set to "all" may be vulnerable to loss of confidentiality due to CVE-2022-43922

2023-01-2611:46:23
www.ibm.com
16
ibm app connect
enterprise certified container
cve-2022-43922
api key
openshift
patch
upgrade
vulnerability

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.5%

Summary

IBM App Connect Enterprise Certified Container DesignerAuthoring operands that run with designerFlowsOperationMode set to “all” would require an API Key to be defined for a cloud-hosted instance of IBM App Connect. If an OpenShift secret was not created manually for this API Key then the IBM App Connect Enterprise Certified Container operator would create the secret, but the name would include a hash based on the API Key. This used a weak hashing algorithm. This bulletin provides patch information to address the reported vulnerability CVE-2022-43922

Vulnerability Details

CVEID:CVE-2022-43922
**DESCRIPTION:**IBM App Connect Enterprise Certified Container could disclose sensitive information to an attacker due to a weak hash of an API Key in the configuration.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241583 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 4.1
App Connect Enterprise Certified Container 4.2
App Connect Enterprise Certified Container 5.0-lts
App Connect Enterprise Certified Container 5.1
App Connect Enterprise Certified Container 5.2
App Connect Enterprise Certified Container 6.0
App Connect Enterprise Certified Container 6.1
App Connect Enterprise Certified Container 6.2

Remediation/Fixes

App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1 and 6.2 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 7.0.0 or higher, and ensure that all DesignerAuthoring components are at 12.0.7.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

If the DesignerAuthroing configuration includes the field “spec.ibmCloudAPIKey” and it is set to “ProvideAsASecretInIBMCloudAPIKeySecret” then delete the OpenShift secret referred to in “spec.ibmCloudAPIKeySecret”

Remove the following fields from the DesignerAuthoring definition:

  • spec.appConnectInstanceID
  • spec.appConnectURL
  • spec.ibmCloudAPIKey
  • spec.ibmCloudAPIKeySecret
  • spec.ibmCloudAPIKeyValue

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.3 or higher, and ensure that all DesignerAuthoring components are at 12.0.7.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

If the DesignerAuthroing configuration includes the field “spec.ibmCloudAPIKey” and it is set to “ProvideAsASecretInIBMCloudAPIKeySecret” then delete the OpenShift secret referred to in “spec.ibmCloudAPIKeySecret”

Remove the following fields from the DesignerAuthoring definition:

  • spec.appConnectInstanceID
  • spec.appConnectURL
  • spec.ibmCloudAPIKey
  • spec.ibmCloudAPIKeySecret
  • spec.ibmCloudAPIKeyValue

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmapp_connect_enterpriseMatch4.1
OR
ibmapp_connect_enterpriseMatch4.2
OR
ibmapp_connect_enterpriseMatch5.0
OR
ibmapp_connect_enterpriseMatch5.1
OR
ibmapp_connect_enterpriseMatch5.2
OR
ibmapp_connect_enterpriseMatch6.0
OR
ibmapp_connect_enterpriseMatch6.1
OR
ibmapp_connect_enterpriseMatch6.2

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

25.5%

Related for B1D76C00C3AF9154CC96455A591C23D896A5218230CB2BCC12B95C3B8C3AF8F9