IBM Integration Bus and IBM App Connect Enterprise are vulnerable to arbitrary code execution, due to the async (CVE-2021-43138) and nconf (CVE-2022-21803) modules for Node.js. A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes async >=3.2.3 and nconf 0.12.0
CVEID:CVE-2021-43138
**DESCRIPTION:**Async could allow a remote attacker to execute arbitrary code on the system, caused by prototype pollution in the mapValues() method. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/223605 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-21803
**DESCRIPTION:**Node.js nconf module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw when using the memory engine. By adding or modifying properties of Object.prototype using a proto or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224357 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.4.0 |
IBM App Connect Enterprise | 11.0.0.0 - 11.0.0.17 |
IBM Integration Bus | 10.0.0.0 - 10.0.0.26 |
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise
Product(s)
|
Version(s)
|
APAR
|
Remediation / Fix
โ|โ|โ|โ
IBM App Connect Enterprise
|
v12.0.1.0 - v12.0.4.0
|
IT41068
|
This APAR (IT41068) is available in fix pack 12.0.5.0
IBM App Connect Enterprise Version v12 - Fix Pack 12.0.5.0
IBM App Connect Enterprise
|
v11.0.0.0 - v11.0.0.17
|
IT41068
|
This APAR (IT41068) is available in fix pack 11.0.0.18
IBM App Connect Enterprise Version v11 - Fix Pack 11 .0.0.18
IBM Integration Bus
|
|
|
see section Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below
For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node jsโ
Refer to โDisabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packsโ