Lucene search

IBMC83C15107896ABE3446D6BF9E3CF787AF64C35543BD4A255DA3B3A13BCA6AB37

HistoryJul 21, 2023 - 12:31 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950)

2023-07-2112:31:53

www.ibm.com

ibm

app connect enterprise

integration bus

vulnerability

ibm mq

denial of service

cve-2023-26285

cve-2023-28950

fix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

35.3%

JSON

Summary

Features requiring MQ client connectivity in IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-26285, CVE-2023-28950). The fix includes IBM Managed File Transfer and IBM MQ classes for Java at version 9.2.0.11

Vulnerability Details

CVEID:CVE-2023-26285
**DESCRIPTION:**IBM MQ 9.2 CD, 9.2 LTS, 9.3 CD, and 9.3 LTS could allow a remote attacker to cause a denial of service due to an error processing invalid data. IBM X-Force ID: 248418.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248418 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-28950
**DESCRIPTION:**IBM MQ 8.0, 9.0, 9.1, 9.2, and 9.3 could disclose sensitive user information from a trace file if that functionality has been enabled. IBM X-Force ID: 251358.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251358 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.9.0
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.21
IBM Integration Bus	10.1 - 10.1.0.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus

Affected Product(s)	Version(s)	APAR	Remediation / Fix
IBM App Connect Enterprise	12.0.1.0 - 12.0.9.0	IT44007

Interim fix for APAR (IT44007) is available to apply to 12.0.9.0 from

IBM Fix Central

IBM App Connect Enterprise | 11.0.0.1 - 11.0.0.21| IT44007|

Interim fix for APAR (IT44007) is available to apply to 11.0.0.21 from

IBM Fix Central

IBM Integration Bus| 10.1 - 10.1.0.1| IT44007|

Interim fix for APAR (IT44007) is available to apply to 10.1.0.1 from

IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.9.0

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.21

ibmintegration_busRange10.1≥

ibmintegration_busRange≤10.1.0.1

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.9.0
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.21
ibm integration busge10.1
ibm integration busle10.1.0.1

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.9.0
ibm app connect enterprise	ge	11.0.0.1
ibm app connect enterprise	le	11.0.0.21
ibm integration bus	ge	10.1
ibm integration bus	le	10.1.0.1