Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a denial of service due to IBM Java SDK (CVE-2024-38264)

Summary

IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a denial of service due to IBM Java SDK, Java Technology Edition. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-38264
**DESCRIPTION:**The IBM SDK, Java Technology Edition’s Object Request Broker (ORB) 7.1.0.0 through 7.1.5.21 and 8.0.0.0 through 8.0.8.21 is vulnerable to a denial of service attack in some circumstances due to improper enforcement of the JEP 290 MaxRef and MaxDepth deserialization filters. IBM X-Force ID: 260578.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/260578 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

11.0.0.1 - 11.0.0.26

IBM Integration Bus for z/OS|

10.1 - 10.1.0.3

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise****and IBM Integration Bus for z/OS

Affected Product(s)

|

Version(s)

| APAR|

Remediation / Fixes

—|—|—|—

IBM App Connect Enterprise

| 12.0.1.0 - 12.0.12.2| PH61646|

The APAR (PH61646) is available from

IBM App Connect Enterprise v12- Fix Pack Release 12.0.12.3

IBM App Connect Enterprise

| 11.0.0.1 - 11.0.0.26| PH61646|

Interim fix for APAR (PH61646) is available to apply to 11.0.0.26 from

IBM Fix Central

IBM Integration Bus for z/OS| 10.1 - 10.1.0.3| PH61646|

Interim fix for APAR (PH61646) is available to apply to 10.1.0.3 from

IBM Fix Central

Workarounds and Mitigations

None