Lucene search

IBM0CE339B3D74891B827F69F8A062E31203EDDBCCB8778A528BEB6D4C0CFD7F558

HistoryJul 25, 2023 - 1:39 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to [CVE-2022-40897]

2023-07-2513:39:30

www.ibm.com

ibm

app connect enterprise

container

vulnerability

denial of service

python setuptools

cve-2022-40897

patch

upgrade

documentation

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

0.005 Low

EPSS

Percentile

77.5%

JSON

Summary

Python setuptools is present in the IBM App Connect Enterprise Certified Container operand images. Python setuptools is vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Python setuptools. [CVE-2022-40897]

Vulnerability Details

CVEID:CVE-2022-40897
**DESCRIPTION:**Pypa Setuptools is vulnerable to a denial of service, caused by improper input validation. By sending request with a specially crafted regular expression, an remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243028 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	4.1
App Connect Enterprise Certified Container	4.2
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	5.1
App Connect Enterprise Certified Container	5.2
App Connect Enterprise Certified Container	6.0
App Connect Enterprise Certified Container	6.1
App Connect Enterprise Certified Container	6.2
App Connect Enterprise Certified Container	7.0
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 7.2.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 8.0.0 or higher, and ensure that all components are at 12.0.7.0-r5 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.5 or higher, and ensure that all components are at 12.0.7.0-r3-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch4.1

ibmapp_connect_enterpriseMatch4.2

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch5.1

ibmapp_connect_enterpriseMatch5.2

ibmapp_connect_enterpriseMatch6.0

ibmapp_connect_enterpriseMatch6.1

ibmapp_connect_enterpriseMatch6.2

ibmapp_connect_enterpriseMatch7.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

CPENameOperatorVersion
ibm app connect enterpriseeq4.1
ibm app connect enterpriseeq4.2
ibm app connect enterpriseeq5.0
ibm app connect enterpriseeq5.1
ibm app connect enterpriseeq5.2
ibm app connect enterpriseeq6.0
ibm app connect enterpriseeq6.1
ibm app connect enterpriseeq6.2
ibm app connect enterpriseeq7.0
ibm app connect enterpriseeq7.1

Name	Operator	Version
ibm app connect enterprise	eq	4.1
ibm app connect enterprise	eq	4.2
ibm app connect enterprise	eq	5.0
ibm app connect enterprise	eq	5.1
ibm app connect enterprise	eq	5.2
ibm app connect enterprise	eq	6.0
ibm app connect enterprise	eq	6.1
ibm app connect enterprise	eq	6.2
ibm app connect enterprise	eq	7.0
ibm app connect enterprise	eq	7.1