5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
69.2%
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a man-in-the-middle attack, remote attacker bypassing security restrictions and denial of service due to openSSL vulnerabilities in Node.js (CVE-2022-1434, CVE-2022-1343, CVE-2022-1473). IBM App Connect provides a fix/fix pack including openSSL 1.1.1o. Mitigation steps to disable node.js have been recommended for IBM Integration Bus
CVEID:CVE-2022-1434
**DESCRIPTION:**OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of the AAD data as the MAC key in the RC4-MD5 ciphersuite. A remote attacker could exploit this vulnerability to predict the MAC key and launch a man-in-the-middle attack and gain access to the communication channel between endpoints to modify data in transit in such a way that it will pass a MAC integrity check.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-1343
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a incorrect verification of response signing certificates by the OCSP_basic_verify function. By sending a specially-crafted request using the OCSP_NOCHECKS flag, an attacker could exploit this vulnerability to forge positive verification results.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-1473
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a resource leakage when decoding certificates and keys by the OPENSSL_LH_flush() function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225616 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
**IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and mitigation to IBM Integration Bus **
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.4.0 |
IBM App Connect Enterprise | 11.0.0.0 - 11.0.0.18 |
IBM Integration Bus |
10.0.0.0 - 10.0.0.26
(Linux x86-64 and Windows x86-64 only)
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise
Product(s) | Version(s) | APAR | Remediation / Fix |
---|---|---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.4.0 | IT41231 |
This APAR is available in fix pack 12.0.5.0
IBM App Connect Enterprise Version v12 - Fix Pack 12.0.5.0
IBM App Connect Enterprise| 11.0.0.0 - 11.0.0.18| IT41231|
This apar is available as an ifix from
IBM Integration Bus| 10.0.0.0 - 10.0.0.26| | see section Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below
For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node js
Refer to βDisabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packsβ
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.003 Low
EPSS
Percentile
69.2%