Lucene search

IBMC097225B212CACB2B5F18C045193B922FA8EA8221AED27CA47A38ED82FA2E209

HistoryJul 31, 2023 - 5:53 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution due to [CVE-2023-29402]

2023-07-3117:53:40

www.ibm.com

ibm

app connect enterprise

golang go

arbitrary code execution

cve-2023-29402

upgrade

security bulletin

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.007

Percentile

81.0%

JSON

Summary

The IBM App Connect Enterprise Certified Container operator is written in Golang Go, as are parts of the ace-server application. IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability in Golang Go. [CVE-2023-29402]

Vulnerability Details

CVEID:CVE-2023-29402
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by the generation of unexpected code at build time when using cgo. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257652 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	4.1
App Connect Enterprise Certified Container	4.2
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	5.1
App Connect Enterprise Certified Container	5.2
App Connect Enterprise Certified Container	6.0
App Connect Enterprise Certified Container	6.1
App Connect Enterprise Certified Container	6.2
App Connect Enterprise Certified Container	7.0
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1
App Connect Enterprise Certified Container	8.2
App Connect Enterprise Certified Container	9.0

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 9.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 9.1.0 or higher, and ensure that all components are at 12.0.9.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.9 or higher, and ensure that all components are at 12.0.9.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch4.1

ibmapp_connect_enterpriseMatch4.2

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch5.1

ibmapp_connect_enterpriseMatch5.2

ibmapp_connect_enterpriseMatch6.0

ibmapp_connect_enterpriseMatch6.1

ibmapp_connect_enterpriseMatch6.2

ibmapp_connect_enterpriseMatch7.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

VendorProductVersionCPE
ibmapp_connect_enterprise4.1cpe:2.3:a:ibm:app_connect_enterprise:4.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise4.2cpe:2.3:a:ibm:app_connect_enterprise:4.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.1cpe:2.3:a:ibm:app_connect_enterprise:5.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.2cpe:2.3:a:ibm:app_connect_enterprise:5.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.0cpe:2.3:a:ibm:app_connect_enterprise:6.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.1cpe:2.3:a:ibm:app_connect_enterprise:6.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.2cpe:2.3:a:ibm:app_connect_enterprise:6.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.0cpe:2.3:a:ibm:app_connect_enterprise:7.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	4.1	cpe:2.3:a:ibm:app_connect_enterprise:4.1:::::::*
ibm	app_connect_enterprise	4.2	cpe:2.3:a:ibm:app_connect_enterprise:4.2:::::::*
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	5.1	cpe:2.3:a:ibm:app_connect_enterprise:5.1:::::::*
ibm	app_connect_enterprise	5.2	cpe:2.3:a:ibm:app_connect_enterprise:5.2:::::::*
ibm	app_connect_enterprise	6.0	cpe:2.3:a:ibm:app_connect_enterprise:6.0:::::::*
ibm	app_connect_enterprise	6.1	cpe:2.3:a:ibm:app_connect_enterprise:6.1:::::::*
ibm	app_connect_enterprise	6.2	cpe:2.3:a:ibm:app_connect_enterprise:6.2:::::::*
ibm	app_connect_enterprise	7.0	cpe:2.3:a:ibm:app_connect_enterprise:7.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*