Lucene search

IBM4936CA6BD85BBECD31CDF419EE674B2E2E807B06E54F8DDD62D9AC062869C585

HistoryMar 25, 2024 - 1:35 p.m.

Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a loss of confidentiality (CVE-2024-22356)

2024-03-2513:35:48

www.ibm.com

ibm

app connect enterprise

integration bus

z/os

vulnerability

confidentiality

cve-2024-22356

log files

trace files

privileged user

cvss

affected products

versions

fixes

it44973

ibm support pages

workaround

mitigation

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Summary

IBM App Connect Enterprise and IBM Integration Bus for z/OS are vulnerable to a loss of confidentiality. This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-22356
**DESCRIPTION:**IBM App Connect Enterprise and IBM Integration Bus for z/OS store potentially sensitive information in log or trace files that could be read by a privileged user.
CVSS Base score: 4.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280893 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.9.0
IBM App Connect Enterprise	11.0.0.1 - 11.0.0.23
IBM Integration Bus	10.1 - 10.1.0.2

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus for z/OS

Affected Product(s)	Version(s)	APAR	Remediation / Fixes
IBM App Connect Enterprise	12.0.1.0 - 12.0.9.0	IT44973

APAR (IT44973) is available from

IBM App Connect Enterprise v12 - Fix Pack 12.0.10.0

IBM App Connect Enterprise| 11.0.0.1 - 11.0.0.23| IT44973|

APAR (IT44973) is available from

IBM App Connect Enterprise v11 - Fix Pack 11.0.0.24

IBM Integration Bus for z/OS| 10.1 - 10.1.0.2| IT44973|

APAR (IT44973) is available from

IBM Integration Bus for z/OS v10.1 - Fix Pack 10.1.0.3

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.9.0

ibmapp_connect_enterpriseRange11.0.0.1≥

ibmapp_connect_enterpriseRange≤11.0.0.23

ibmintegration_busRange10.1≥

ibmintegration_busRange≤10.1.0.2

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.9.0
ibm app connect enterprisege11.0.0.1
ibm app connect enterprisele11.0.0.23
ibm integration busge10.1
ibm integration busle10.1.0.2

Name	Operator	Version
ibm app connect enterprise	ge	12.0.1.0
ibm app connect enterprise	le	12.0.9.0
ibm app connect enterprise	ge	11.0.0.1
ibm app connect enterprise	le	11.0.0.23
ibm integration bus	ge	10.1
ibm integration bus	le	10.1.0.2

4.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

5.9 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for 4936CA6BD85BBECD31CDF419EE674B2E2E807B06E54F8DDD62D9AC062869C585