Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305)

Summary

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305). This affects the logging infrastructure in IBM App Connect Enterprise and IBM Integration Bus. The fix includes Apache Log4j v2.17.1.

Vulnerability Details

CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID:CVE-2022-23307
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2022-23302
**DESCRIPTION:**Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

V11.0.0.0 to V11.0.0.15

Also affects IBM App Connect Enterprise Toolkit

V11.0.0.0 to V11.0.0.16

IBM Integration Bus| V10.0.0.6 to V10.0.0.25

Remediation/Fixes

IBM strongly recommends addressing the vulnerability now by the applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise.

**In addition, apply the appropriate remediation to IBM Integration Bus Toolkit/IBM App Connect Enterprise Toolkit. **

Note: This supersedes APARs IT39377 and IT39458

Product(s)

|

Version(s)

| APAR|

**Remediation / Fix and Instructions **

—|—|—|—
IBM App Connect Enterprise
| V12.0.1.0 to V12.0.3.0| IT39515|

Interim APAR fix for Windows is available from

12.0.3.0 IBM Fix Central

12.0.2.0 IBM Fix Central

12.0.1.0 IBM Fix Central

Interim APAR fix for the following platforms is available from IBM Fix Central

• Linux x86-64
• AIX
• Linux on System z
• Linux on Power Little Endian

IBM App Connect Enterprise
| V11.0.0.0- V11.0.0.15| IT39515|

Interim fix for APAR is available for v11.0.0.10-11.0.0.15 from

IBM Fix Central

IBM Integration Bus
| V10.0.0.6 to V10.0.0.25| IT39515|

Interim fix for APAR is available for 10.0.0.25 from

IBM Fix Central

Remediation to the IBM Integration Toolkit V10 and IBM App Connect Enterprise Toolkit V11, V12

Delete the following file:
$MQSI_FILEPATH/tools/plugins/org.apache.log4j_<version>.v<datestamp>.jar

Where version is a 3 digit log4j version number and <datestamp> is the build date of the plugin.

• For example: org.apache.log4j_1.2.15.v201012070815.jar

Note that after applying this remediation it is not possible to install new patterns in the pattern explorer or install new features / software using the eclipse “Install Software or Update” dialog boxes.

Workarounds and Mitigations

None