Lucene search

IBMEC79FF3570DEF4AC15D2E36F2C25E159019783652FF58B17420B7CABA77A9584

HistoryNov 14, 2022 - 2:14 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987)

2022-11-1414:14:34

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

58.0%

JSON

Summary

IBM App Connect Enterprise and IBM Integration Bus ship with Node.js for which vulnerabilities were reported and have been addressed by an ifix, a fixpack release and an option to disable the node (CVE-2022-29244, CVE-2022-33987)

Vulnerability Details

CVEID:CVE-2022-29244
**DESCRIPTION:**Node.js npm module could allow a remote authenticated attacker to obtain sensitive information, caused by an issue with ignoring root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag. By sending a specially-crafted request using npm pack or npm publish, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2022-33987
**DESCRIPTION:**Node.js got module could allow a remote attacker to bypass security restrictions, caused by an unspecified. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform a redirect to a UNIX socket.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/229246 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.4.0
IBM App Connect Enterprise	11.0.0.0 - 11.0.0.18
IBM Integration Bus	10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise

Product(s)

Version(s)

APAR

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

v12.0.1.0 - v12.0.4.0

IT41716

This APAR (IT41716) is available in fix pack 12.0.5.0

IBM Integration Bus version v12 – Fix Pack 12.0.5.0 link

IBM App Connect Enterprise

v11.0.0.0 - v11.0.0.18

IT41716

Interim fix for APAR ( IT41716) is available from

IBM Fix Central link v11 - interim fix available to apply to 11.0.0.18

IBM Integration Bus

v10.0.0.0 - v10.0.0.26

n/a

see *Workarounds and Mitigations

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below

For IBM Integration Bus v10 v10.0.0.24 - v10.0.0.26 users can disable node js

Refer to
‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.4.0
ibm app connect enterprisege11.0.0.0
ibm app connect enterprisele11.0.0.18
ibm integration busge10.0.0.0
ibm integration busle10.0.0.26

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.4.0
ibm app connect enterprise	ge	11.0.0.0
ibm app connect enterprise	le	11.0.0.18
ibm integration bus	ge	10.0.0.0
ibm integration bus	le	10.0.0.26