Lucene search

K
ibmIBMFFDE8D079419291E03B99CD03062031F32C44C801D2257697E407E3C3A6DB60E
HistoryDec 01, 2022 - 4:50 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service due to CVE-2022-27405

2022-12-0116:50:32
www.ibm.com
12

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

65.6%

Summary

FreeType is not used directly by IBM App Connect Enterprise Certified Container but is present as an operating system module in the DesignerAuthoring image used for mapping assistance. IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use mapping assistance may be vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability CVE-2022-27405 in FreeType.

Vulnerability Details

CVEID:CVE-2022-27405
**DESCRIPTION:**FreeType is vulnerable to a denial of service, caused by a segmentation violation in the FNT_Size_Request function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to stop responding.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225145 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
App Connect Enterprise Certified Container 4.1
App Connect Enterprise Certified Container 4.2
App Connect Enterprise Certified Container 5.0-lts
App Connect Enterprise Certified Container 5.1
App Connect Enterprise Certified Container 5.2
App Connect Enterprise Certified Container 6.0
App Connect Enterprise Certified Container 6.1

Remediation/Fixes

App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0 and 6.1 (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 6.2.0 or higher, and ensure that all DesignerAuthoring components that use mapping assistance are at 12.0.7.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator&gt;

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.2 or higher, and ensure that all DesignerAuthoring components that use mapping assistance are at 12.0.6.0-r2-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator&gt;

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.003 Low

EPSS

Percentile

65.6%

Related for FFDE8D079419291E03B99CD03062031F32C44C801D2257697E407E3C3A6DB60E