Lucene search

IBMDA9CEB584CAE086FF6D59AD8B5D342D964764B7BCE7AB493998A0EF3C13C8C6F

HistorySep 22, 2023 - 3:02 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-28513).

2023-09-2215:02:19

www.ibm.com

ibm app connect enterprise

ibm integration bus

ibm mq

denial of service

vulnerability

cve-2023-28513

ibm managed file transfer

java classes

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

47.4%

JSON

Summary

Features requiring MQ client connectivity in IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a denial of service due to IBM MQ (CVE-2023-28513). The fix includes IBM Managed File Transfer and IBM MQ classes for Java at version 9.2.0.15

Vulnerability Details

CVEID:CVE-2023-28513
**DESCRIPTION:**IBM MQ 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.3 CD and IBM MQ Appliance 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.2 LTS, under certain configurations, is vulnerable to a denial of service attack caused by an error processing messages. IBM X-Force ID: 250397.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250397 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.9.0
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.21
IBM Integration Bus	10.1 - 10.1.0.1

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by applying the appropriate fix to IBM App Connect Enterprise & IBM Integration Bus

Affected Product(s)	Version(s)	APAR	Remediation / Fixes
IBM App Connect Enterprise	12.0.1.0 - 12.0.9.0	IT44274 (this supersedes IT44007)

Interim fix for APAR (IT44274) is available to apply to 12.0.9.0 from

IBM Fix Central

IBM App Connect Enterprise| 11.0.0.1 - 11.0.0.21| IT44274 (this supersedes IT44007)|

The APAR (IT44274) is available from

IBM App Connect Enterprise v11 - Fix Pack 11.0.0.22

IBM Integration Bus| 10.1 - 10.1.0.1| IT44274 (this supersedes IT44007)|

Interim fix for APAR (IT44274) is available to apply to 10.1.0.1 from

IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.9.0

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.21

ibmintegration_busRange10.1≥

ibmintegration_busRange≤10.1.0.1

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.9.0
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.21
ibm integration busge10.1
ibm integration busle10.1.0.1

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.9.0
ibm app connect enterprise	ge	11.0.0.1
ibm app connect enterprise	le	11.0.0.21
ibm integration bus	ge	10.1
ibm integration bus	le	10.1.0.1