Lucene search

IBMFF718C8CB1FEAF56F702F38EEE7D060C299F40A662886C25F513F20B709316ED

HistoryAug 23, 2024 - 9:57 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operator and operands are vulnerable to denial of service [CVE-2023-45288]

2024-08-2309:57:41

www.ibm.com

ibm

app connect enterprise certified container

denial of service

golang

vulnerability

patch

versions

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

JSON

Summary

IBM App Connect Enterprise Certified Container operator and operands are vulnerable to denial of service due to a Golang vulnerability. This bulletin provides patch information to address the reported vulnerability in the net/http and x/net/http2 packages. [CVE-2023-45288]

Vulnerability Details

CVEID:CVE-2023-45288
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286962 for the current score.
CVSS Vector:

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1
App Connect Enterprise Certified Container	8.2
App Connect Enterprise Certified Container	9.0
App Connect Enterprise Certified Container	9.1
App Connect Enterprise Certified Container	9.2
App Connect Enterprise Certified Container	10.0
App Connect Enterprise Certified Container	10.1
App Connect Enterprise Certified Container	11.0
App Connect Enterprise Certified Container	11.1
App Connect Enterprise Certified Container	11.2
App Connect Enterprise Certified Container	11.3
App Connect Enterprise Certified Container	11.4
App Connect Enterprise Certified Container	11.5
App Connect Enterprise Certified Container	11.6
App Connect Enterprise Certified Container	12.0
App Connect Enterprise Certified Container	12.1

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 12.1.0 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 12.2.0 or higher, and ensure that all components are at 12.0.12.4-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 12.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 12.0.1 or higher, and ensure that all components are at 12.0.12-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/12.0?topic=umfpr-upgrading-operator-releases>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.19 or higher, and ensure that all components are at 12.0.12.3-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

ibmapp_connect_enterpriseMatch8.2

ibmapp_connect_enterpriseMatch9.0

ibmapp_connect_enterpriseMatch9.1

ibmapp_connect_enterpriseMatch9.2

ibmapp_connect_enterpriseMatch10.0

ibmapp_connect_enterpriseMatch10.1

ibmapp_connect_enterpriseMatch11.0

ibmapp_connect_enterpriseMatch11.1

ibmapp_connect_enterpriseMatch11.2

ibmapp_connect_enterpriseMatch11.3

ibmapp_connect_enterpriseMatch11.4

ibmapp_connect_enterpriseMatch11.5

ibmapp_connect_enterpriseMatch11.6

ibmapp_connect_enterpriseMatch12.0

ibmapp_connect_enterpriseMatch12.1

VendorProductVersionCPE
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.2cpe:2.3:a:ibm:app_connect_enterprise:7.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.0cpe:2.3:a:ibm:app_connect_enterprise:8.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.1cpe:2.3:a:ibm:app_connect_enterprise:8.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise8.2cpe:2.3:a:ibm:app_connect_enterprise:8.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.0cpe:2.3:a:ibm:app_connect_enterprise:9.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.1cpe:2.3:a:ibm:app_connect_enterprise:9.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise9.2cpe:2.3:a:ibm:app_connect_enterprise:9.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise10.0cpe:2.3:a:ibm:app_connect_enterprise:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*
ibm	app_connect_enterprise	7.2	cpe:2.3:a:ibm:app_connect_enterprise:7.2:::::::*
ibm	app_connect_enterprise	8.0	cpe:2.3:a:ibm:app_connect_enterprise:8.0:::::::*
ibm	app_connect_enterprise	8.1	cpe:2.3:a:ibm:app_connect_enterprise:8.1:::::::*
ibm	app_connect_enterprise	8.2	cpe:2.3:a:ibm:app_connect_enterprise:8.2:::::::*
ibm	app_connect_enterprise	9.0	cpe:2.3:a:ibm:app_connect_enterprise:9.0:::::::*
ibm	app_connect_enterprise	9.1	cpe:2.3:a:ibm:app_connect_enterprise:9.1:::::::*
ibm	app_connect_enterprise	9.2	cpe:2.3:a:ibm:app_connect_enterprise:9.2:::::::*
ibm	app_connect_enterprise	10.0	cpe:2.3:a:ibm:app_connect_enterprise:10.0:::::::*