Lucene search

IBMF4E81ED05FE7AA60EFC879573519022A116452D0EE9DE26A31762C897323D3B1

HistoryJun 05, 2024 - 2:58 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to XSS attacks due to [CVE-2024-1135]

2024-06-0514:58:54

www.ibm.com

ibm

app connect enterprise

container

designer

xss attacks

gunicorn

vulnerability

patch

upgrade

documentation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

7.3

Confidence

High

EPSS

Percentile

9.0%

JSON

Summary

Gunicorn is used by IBM App Connect Enterprise Certified Container by the mapping assistance component. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance are vulnerable to XSS attacks. This bulletin provides patch information to address the reported vulnerability in Gunicorn. [CVE-2024-1135]

Vulnerability Details

CVEID:CVE-2024-1135
**DESCRIPTION:**Gunicorn is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP transfer-encoding headers. By sending a specially crafted HTTP(S) transfer-encoding header, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/287833 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1
App Connect Enterprise Certified Container	8.2
App Connect Enterprise Certified Container	9.0
App Connect Enterprise Certified Container	9.1
App Connect Enterprise Certified Container	9.2
App Connect Enterprise Certified Container	10.0
App Connect Enterprise Certified Container	10.1
App Connect Enterprise Certified Container	11.0
App Connect Enterprise Certified Container	11.1
App Connect Enterprise Certified Container	11.2
App Connect Enterprise Certified Container	11.3
App Connect Enterprise Certified Container	11.4
App Connect Enterprise Certified Container	11.5

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 11.5.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 11.6.0 or higher, and ensure that all DesignerAuthoring components are at 12.0.12.2-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.18 or higher, and ensure that all DesignerAuthoring components are at 12.0.12.2-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

ibmapp_connect_enterpriseMatch9.1

ibmapp_connect_enterpriseMatch9.2

ibmapp_connect_enterpriseMatch10.0

ibmapp_connect_enterpriseMatch10.1

ibmapp_connect_enterpriseMatch11.0

ibmapp_connect_enterpriseMatch11.1

ibmapp_connect_enterpriseMatch11.2

ibmapp_connect_enterpriseMatch11.3

ibmapp_connect_enterpriseMatch11.4

ibmapp_connect_enterpriseMatch11.5

VendorProductVersionCPE
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.2cpe:2.3:a:ibm:app_connect_enterprise:7.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.0cpe:2.3:a:ibm:app_connect_enterprise:8.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.1cpe:2.3:a:ibm:app_connect_enterprise:8.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.2cpe:2.3:a:ibm:app_connect_enterprise:8.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.0cpe:2.3:a:ibm:app_connect_enterprise:9.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.1cpe:2.3:a:ibm:app_connect_enterprise:9.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.2cpe:2.3:a:ibm:app_connect_enterprise:9.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise10.0cpe:2.3:a:ibm:app_connect_enterprise:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*
ibm	app_connect_enterprise	7.2	cpe:2.3:a:ibm:app_connect_enterprise:7.2:::::::*
ibm	app_connect_enterprise	8.0	cpe:2.3:a:ibm:app_connect_enterprise:8.0:::::::*
ibm	app_connect_enterprise	8.1	cpe:2.3:a:ibm:app_connect_enterprise:8.1:::::::*
ibm	app_connect_enterprise	8.2	cpe:2.3:a:ibm:app_connect_enterprise:8.2:::::::*
ibm	app_connect_enterprise	9.0	cpe:2.3:a:ibm:app_connect_enterprise:9.0:::::::*
ibm	app_connect_enterprise	9.1	cpe:2.3:a:ibm:app_connect_enterprise:9.1:::::::*
ibm	app_connect_enterprise	9.2	cpe:2.3:a:ibm:app_connect_enterprise:9.2:::::::*
ibm	app_connect_enterprise	10.0	cpe:2.3:a:ibm:app_connect_enterprise:10.0:::::::*