Lucene search

K
ibmIBMDBBA9AAA66ECF3E34A5B0096C29694B0D5CA4A3DA55C4397D2540809F383AB20
HistoryNov 07, 2022 - 11:20 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use Mapping Assistance may be vulnerable to loss of confidentiality due to CVE-2022-28614

2022-11-0711:20:14
www.ibm.com
11

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

71.2%

Summary

Apache HTTP Server is used by IBM App Connect Enterprise Certified Container for Mapping Assistance. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use Mapping Assistance may be vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability CVE-2022-28614 in Apache HTTP Server.

Vulnerability Details

CVEID:CVE-2022-28614
**DESCRIPTION:**Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in the ap_rwrite() function. By reflecting very large input using ap_rwrite() or ap_rputs(), such as with mod_luas r:puts() function, an attacker could exploit this vulnerability to read unintended memory.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228342 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 4.1
App Connect Enterprise Certified Container 4.2
App Connect Enterprise Certified Container 5.0-lts
App Connect Enterprise Certified Container 5.1
App Connect Enterprise Certified Container 5.2
App Connect Enterprise Certified Container 6.0

Remediation/Fixes

App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2 and 6.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 6.1.0 or higher, and ensure that all DesignerAuthoring components are at 12.0.6.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.1 or higher, and ensure that all DesignerAuthoring components are at 12.0.6.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

71.2%

Related for DBBA9AAA66ECF3E34A5B0096C29694B0D5CA4A3DA55C4397D2540809F383AB20