IBMB1D76C00C3AF9154CC96455A591C23D896A5218230CB2BCC12B95C3B8C3AF8F9Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that run with designerFlowsOperationMode set to "all" may be vulnerable to loss of confidentiality due to CVE-2022-43922
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
23.3%
Summary
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that run with designerFlowsOperationMode set to “all” would require an API Key to be defined for a cloud-hosted instance of IBM App Connect. If an OpenShift secret was not created manually for this API Key then the IBM App Connect Enterprise Certified Container operator would create the secret, but the name would include a hash based on the API Key. This used a weak hashing algorithm. This bulletin provides patch information to address the reported vulnerability CVE-2022-43922
Vulnerability Details
CVEID:CVE-2022-43922
**DESCRIPTION:**IBM App Connect Enterprise Certified Container could disclose sensitive information to an attacker due to a weak hash of an API Key in the configuration.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241583 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| App Connect Enterprise Certified Container | 4.1 |
| App Connect Enterprise Certified Container | 4.2 |
| App Connect Enterprise Certified Container | 5.0-lts |
| App Connect Enterprise Certified Container | 5.1 |
| App Connect Enterprise Certified Container | 5.2 |
| App Connect Enterprise Certified Container | 6.0 |
| App Connect Enterprise Certified Container | 6.1 |
| App Connect Enterprise Certified Container | 6.2 |
Remediation/Fixes
App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1 and 6.2 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 7.0.0 or higher, and ensure that all DesignerAuthoring components are at 12.0.7.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
If the DesignerAuthroing configuration includes the field “spec.ibmCloudAPIKey” and it is set to “ProvideAsASecretInIBMCloudAPIKeySecret” then delete the OpenShift secret referred to in “spec.ibmCloudAPIKeySecret”
Remove the following fields from the DesignerAuthoring definition:
- spec.appConnectInstanceID
- spec.appConnectURL
- spec.ibmCloudAPIKey
- spec.ibmCloudAPIKeySecret
- spec.ibmCloudAPIKeyValue
App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)
Upgrade to App Connect Enterprise Certified Container Operator version 5.0.3 or higher, and ensure that all DesignerAuthoring components are at 12.0.7.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>
If the DesignerAuthroing configuration includes the field “spec.ibmCloudAPIKey” and it is set to “ProvideAsASecretInIBMCloudAPIKeySecret” then delete the OpenShift secret referred to in “spec.ibmCloudAPIKeySecret”
Remove the following fields from the DesignerAuthoring definition:
- spec.appConnectInstanceID
- spec.appConnectURL
- spec.ibmCloudAPIKey
- spec.ibmCloudAPIKeySecret
- spec.ibmCloudAPIKeyValue
Workarounds and Mitigations
None
Affected configurations
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
23.3%