Security Bulletin: IBM Integration Bus and IBM App Connect Enterprise are vulnerable to arbitrary code execution due to async ( CVE-2021-43138) and nconf (CVE-2022-21803)

2022-07-0416:02:00

www.ibm.com

0.001 Low

EPSS

Percentile

48.2%

JSON

Summary

IBM Integration Bus and IBM App Connect Enterprise are vulnerable to arbitrary code execution, due to the async (CVE-2021-43138) and nconf (CVE-2022-21803) modules for Node.js. A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes async >=3.2.3 and nconf 0.12.0

Vulnerability Details

CVEID:CVE-2021-43138
**DESCRIPTION:**Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223605 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-21803
**DESCRIPTION:**Node.js nconf module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw when using the memory engine. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224357 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.4.0
IBM App Connect Enterprise	11.0.0.0 - 11.0.0.17
IBM Integration Bus	10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise

Product(s)

Version(s)

APAR

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

v12.0.1.0 - v12.0.4.0

IT41068

This APAR (IT41068) is available in fix pack 12.0.5.0

IBM App Connect Enterprise Version v12 - Fix Pack 12.0.5.0

IBM App Connect Enterprise

v11.0.0.0 - v11.0.0.17

IT41068

This APAR (IT41068) is available in fix pack 11.0.0.18

IBM App Connect Enterprise Version v11 - Fix Pack 11 .0.0.18

IBM Integration Bus

see section Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below

For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node js’

Refer to ‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.4.0
ibm app connect enterprisege11.0.0.0
ibm app connect enterprisele11.0.0.17
ibm integration busge10.0.0.0
ibm integration busle10.0.0.26

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.4.0
ibm app connect enterprise	ge	11.0.0.0
ibm app connect enterprise	le	11.0.0.17
ibm integration bus	ge	10.0.0.0
ibm integration bus	le	10.0.0.26