IBMDD372B898A81CC64E29DF50BED38D660DE0A86127FC5C3C328463ABC18E035A4Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a local user accessing sensitive information due to IBM MQ Managed File Transfer and Apache Commons Net (CVE-2021-37533, CVE-2022-42436, CVE-2022-43919)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
65.4%
Summary
IBM App Connect Enterprise and IBM Integration Bus FTE nodes are vulnerable to an issue in IBM MQ Managed File Transfer where a local user can obtain sensitive information from diagnostic files and Apache Commons Net could allow a remote attack (CVE-2021-37533, CVE-2022-42436, CVE-2022-43919). The fix includes IBM MQ 9.2.0.10
Vulnerability Details
CVEID:CVE-2021-37533
**DESCRIPTION:**Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-42436
**DESCRIPTION:**IBM MQ 8.0.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0 Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. IBM X-Force ID: 238206.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238206 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2022-43919
**DESCRIPTION:**IBM MQ 9.2 CD, 9.2 LTS, 9.3 CD, and 9.3 LTS could allow an authenticated attacker with authorization to craft messages to cause a denial of service. IBM X-Force ID: 241354.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM App Connect Enterprise | 12.0.1.0 - 12.0.7.0 |
| IBM App Connect Enterprise | 11.0.0.0 - 11.0.0.20 |
| IBM Integration Bus | 10.1 |
| IBM Integration Bus | 10.0.0.0 - 10.0.0.26 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise & IBM Integration Bus
Product(s)
|
Version(s)
|
APAR
|
Remediation / Fix
—|—|—|—
IBM App Connect Enterprise
|
v12.0.1.0 - v12.0.7.0
|
IT43656
|
The APAR (IT43656) is available in Fix Pack 12.0.8.0
IBM App Connect Enterprise v12 - Fix Pack 12.0.8.0
IBM App Connect Enterprise
|
v11.0.0.0 -v11.0.0.20
|
IT43656
|
Interim fix for APAR (IT43656) is available to apply to 11.0.0.20 from
IBM Integration Bus
|
v10.1
|
IT43656
|
Interim fix for APAR (IT43656) is available to apply to 10.1 from
IBM Integration Bus
|
v10.0.0.0 -v10.0.0.26
|
IT43656
|
Interim fix for APAR (IT43656) is available to apply to 10.0.0.26 from
Workarounds and Mitigations
None
Affected configurations
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
65.4%