Lucene search

IBMBBBBB25DC3D78FA5EB62BA56C09789CC4D18BA50B036B7899B9BBABE65CF687A

HistoryAug 01, 2024 - 3:04 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run Designer Flows containing event nodes are vulnerable to loss of confidentiality [CVE-2024-38372]

2024-08-0115:04:06

www.ibm.com

ibm

app connect enterprise

certified container

vulnerability

confidentiality

node.js undici module

cve-2024-38372

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N

AI Score

6.2

Confidence

High

JSON

Summary

Node.js undici module is used by IBM App Connect Enterprise Certified Container for HTTP calls. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run Designer flows that contain event nodes are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in the Node.js undici module. [CVE-2024-38372]

Vulnerability Details

CVEID:CVE-2024-38372
**DESCRIPTION:**Node.js undici module could allow a remote authenticated attacker to obtain sensitive information, caused by a data leak when using response.arrayBuffer() flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297634 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	5.0.18
App Connect Enterprise Certified Container	11.6.0
App Connect Enterprise Certified Container	12.0.0

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 11.6.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 12.1.0 or higher, and ensure that all DesignerAuthoring, IntegrationServer and IntegrationRuntime components are at 12.0.12.3-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 12.0.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 12.0.1 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.12-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/12.0?topic=umfpr-upgrading-operator-releases>

App Connect Enterprise Certified Container 5.0.18 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.19 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.12.3-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

ibmapp_connect_enterpriseMatch9.1

ibmapp_connect_enterpriseMatch9.2

ibmapp_connect_enterpriseMatch10.0

ibmapp_connect_enterpriseMatch10.1

ibmapp_connect_enterpriseMatch11.0

ibmapp_connect_enterpriseMatch11.1

ibmapp_connect_enterpriseMatch11.2

ibmapp_connect_enterpriseMatch11.3

ibmapp_connect_enterpriseMatch11.4

ibmapp_connect_enterpriseMatch11.5

ibmapp_connect_enterpriseMatch11.6

ibmapp_connect_enterpriseMatch12.0

VendorProductVersionCPE
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.2cpe:2.3:a:ibm:app_connect_enterprise:7.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.0cpe:2.3:a:ibm:app_connect_enterprise:8.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.1cpe:2.3:a:ibm:app_connect_enterprise:8.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.2cpe:2.3:a:ibm:app_connect_enterprise:8.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.0cpe:2.3:a:ibm:app_connect_enterprise:9.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.1cpe:2.3:a:ibm:app_connect_enterprise:9.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.2cpe:2.3:a:ibm:app_connect_enterprise:9.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise10.0cpe:2.3:a:ibm:app_connect_enterprise:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*
ibm	app_connect_enterprise	7.2	cpe:2.3:a:ibm:app_connect_enterprise:7.2:::::::*
ibm	app_connect_enterprise	8.0	cpe:2.3:a:ibm:app_connect_enterprise:8.0:::::::*
ibm	app_connect_enterprise	8.1	cpe:2.3:a:ibm:app_connect_enterprise:8.1:::::::*
ibm	app_connect_enterprise	8.2	cpe:2.3:a:ibm:app_connect_enterprise:8.2:::::::*
ibm	app_connect_enterprise	9.0	cpe:2.3:a:ibm:app_connect_enterprise:9.0:::::::*
ibm	app_connect_enterprise	9.1	cpe:2.3:a:ibm:app_connect_enterprise:9.1:::::::*
ibm	app_connect_enterprise	9.2	cpe:2.3:a:ibm:app_connect_enterprise:9.2:::::::*
ibm	app_connect_enterprise	10.0	cpe:2.3:a:ibm:app_connect_enterprise:10.0:::::::*