CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
16.3%
Node.js is used by IBM App Connect Enterprise Certified Container as one of the main runtimes. IBM App Connect Enterprise Certified Container operands are vulnerable to loss of confidentiality and denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js. [CVE-2023-46809] [CVE-2024-21892] [CVE-2024-22019]
CVEID:CVE-2023-46809
**DESCRIPTION:**Node.js could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the privateDecrypt() API of the crypto library. An attacker could exploit this vulnerability to conduct a covert timing side-channel during PKCS#1 v1.5 padding error handling and obtain significant timing differences in decryption for valid and invalid ciphertexts.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282990 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2024-21892
**DESCRIPTION:**Node.js could allow a local authenticated attacker to gain elevated privileges on the system, caused by a bug in the implementation of the exception of CAP_NET_BIND_SERVICE. An attacker could exploit this vulnerability to inject code that inherits the process’s elevated privileges.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282986 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2024-22019
**DESCRIPTION:**Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to exhaust all available resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282988 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 5.0-lts |
App Connect Enterprise Certified Container | 7.1 |
App Connect Enterprise Certified Container | 7.2 |
App Connect Enterprise Certified Container | 8.0 |
App Connect Enterprise Certified Container | 8.1 |
App Connect Enterprise Certified Container | 8.2 |
App Connect Enterprise Certified Container | 9.0 |
App Connect Enterprise Certified Container | 9.1 |
App Connect Enterprise Certified Container | 9.2 |
App Connect Enterprise Certified Container | 10.0 |
App Connect Enterprise Certified Container | 10.1 |
App Connect Enterprise Certified Container | 11.0 |
App Connect Enterprise Certified Container | 11.1 |
App Connect Enterprise Certified Container | 11.2 |
App Connect Enterprise Certified Container | 11.3 |
App Connect Enterprise Certified Container | 11.4 |
IBM strongly suggests the following:
App Connect Enterprise Certified Container up to 11.4.0 (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 11.5.0 or higher, and ensure that all components are at 12.0.12.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)
Upgrade to App Connect Enterprise Certified Container Operator version 5.0.17 or higher, and ensure that all components are at 12.0.12.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | app_connect_enterprise | 5.0 | cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 7.1 | cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 7.2 | cpe:2.3:a:ibm:app_connect_enterprise:7.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 8.0 | cpe:2.3:a:ibm:app_connect_enterprise:8.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 8.1 | cpe:2.3:a:ibm:app_connect_enterprise:8.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 8.2 | cpe:2.3:a:ibm:app_connect_enterprise:8.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 9.0 | cpe:2.3:a:ibm:app_connect_enterprise:9.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 9.1 | cpe:2.3:a:ibm:app_connect_enterprise:9.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 9.2 | cpe:2.3:a:ibm:app_connect_enterprise:9.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 10.0 | cpe:2.3:a:ibm:app_connect_enterprise:10.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
16.3%