Lucene search

IBMD2FFF86174F3475C4235B20A4CD914E2013BDDEFB60F5B3E2F788F984A2C8E12

HistoryFeb 27, 2024 - 3:02 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a denial of service due to MiniZip (CVE-2023-45853)

2024-02-2715:02:47

www.ibm.com

ibm

app connect enterprise

integration bus

z/os

minizip

denial of service

vulnerability

cve-2023-45853

integer overflow

heap-based buffer overflow

apar

it44909

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.8%

JSON

Summary

MiniZip, in IBM App Connect Enterprise and IBM Integration Bus for z/OS is vulnerable to a denial of service. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2023-45853
**DESCRIPTION:**MiniZip is vulnerable to a denial of service, caused by an integer overflow and resultant heap-based buffer overflow in the zipOpenNewFileInZip4_64 function. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268650 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.10.0
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.23
IBM Integration Bus for z/OS	10.1 - 10.1.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus

Affected Product(s)	Version(s)	APAR	Remediation / Fixes
IBM App Connect Enterprise	12.0.1.0 - 12.0.10.0	IT44909

The APAR (IT44909) is available from

IBM App Connect Enterprise v12 - Security Fix Pack Release 12.0.10.1

IBM App Connect Enterprise| 11.0.0.1 - 11.0.0.23| IT44909|

The APAR (IT44909) is available from

IBM App Connect Enterprise v11 - Fix Pack Release 11.0.0.24

IBM Integration Bus for z/OS| 10.1 - 10.1.0.2| IT44909|

The APAR (IT44909) is available from

IBM Integration Bus for z/OS v10.1 - Fix Pack Release 10.1.0.3

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.10.0

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.23

ibmintegration_busRange10.1≥

ibmintegration_busRange≤10.1.0.2

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.10.0
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.23
ibm integration bus for z/osge10.1
ibm integration bus for z/osle10.1.0.2

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.10.0
ibm app connect enterprise	ge	11.0.0.1
ibm app connect enterprise	le	11.0.0.23
ibm integration bus for z/os	ge	10.1
ibm integration bus for z/os	le	10.1.0.2