9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.009 Low
EPSS
Percentile
83.0%
IBM App Connect Enterprise & IBM Integration Bus are vulnerable to arbitrary code execution due to Apache Log4j (CVE-2022-23307, CVE-2022-23302) and SQL injection due to Apache Log4j (CVE-2022-23305). This affects the logging infrastructure in IBM App Connect Enterprise and IBM Integration Bus. The fix includes Apache Log4j v2.17.1.
CVEID:CVE-2022-23305
**DESCRIPTION:**Apache Log4j is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the JDBCAppender, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217461 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-23307
**DESCRIPTION:**Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization in the in Apache Chainsaw component. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217462 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-23302
**DESCRIPTION:**Apache Log4j could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization in JMSSink. By sending specially-crafted JNDI requests using TopicConnectionFactoryBindingName configuration, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/217460 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | V12.0.1.0 to V12.0.3.0 |
IBM App Connect Enterprise |
V11.0.0.0 to V11.0.0.15
Also affects IBM App Connect Enterprise Toolkit
V11.0.0.0 to V11.0.0.16
IBM Integration Bus| V10.0.0.6 to V10.0.0.25
IBM strongly recommends addressing the vulnerability now by the applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise.
**In addition, apply the appropriate remediation to IBM Integration Bus Toolkit/IBM App Connect Enterprise Toolkit. **
Note: This supersedes APARs IT39377 and IT39458
Product(s)
|
Version(s)
| APAR|
**Remediation / Fix and Instructions **
โ|โ|โ|โ
IBM App Connect Enterprise
| V12.0.1.0 to V12.0.3.0| IT39515|
Interim APAR fix for Windows is available from
Interim APAR fix for the following platforms is available from IBM Fix Central
IBM App Connect Enterprise
| V11.0.0.0- V11.0.0.15| IT39515|
Interim fix for APAR is available for v11.0.0.10-11.0.0.15 from
IBM Integration Bus
| V10.0.0.6 to V10.0.0.25| IT39515|
Interim fix for APAR is available for 10.0.0.25 from
Remediation to the IBM Integration Toolkit V10 and IBM App Connect Enterprise Toolkit V11, V12
Delete the following file:
$MQSI_FILEPATH/tools/plugins/org.apache.log4j_<version>.v<datestamp>.jar
Where version is a 3 digit log4j version number and <datestamp> is the build date of the plugin.
Note that after applying this remediation it is not possible to install new patterns in the pattern explorer or install new features / software using the eclipse โInstall Software or Updateโ dialog boxes.
None
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.009 Low
EPSS
Percentile
83.0%