IBM5444F128D3E83E3EA6531D3173B01B243D0F98AAF68CD33DBFF3924230890A43Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module (CVE-2022-25927)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
38.4%
Summary
IBM App Connect Enterprise is vulnerable to a denial of service due to the ua-parser-js module in the electron app (CVE-2022-25927). Electron is used for Discovery Connectors in IBM App Connect Enterprise. The latest fixpack includes ua-parser-js >=v1.0.33
Vulnerability Details
CVEID:CVE-2022-25927
**DESCRIPTION:**Node.js ua-parser-js module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw. By sending specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245569 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM App Connect Enterprise | v12.0.6.0 - v12.0.7.0 |
Remediation/Fixes
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise
| Product(s) | Version(s) | APAR | Remediation / Fix |
|---|---|---|---|
| IBM App Connect Enterprise | v12.0.6.0 - v12.0.7.0 | IT43530 |
The APAR (IT43530) is available in
IBM App Connect Enterprise version v12 - Fixpack 12.0.8.0
Workarounds and Mitigations
None
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
38.4%