Lucene search

IBM6244EB6607177E21B9BB0618725E48CB3B668358911A12142873E78B24FF0768

HistoryJun 01, 2023 - 3:03 p.m.

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run designer flows containing Box nodes are vulnerable to security restriction bypass due to [CVE-2023-32313]

2023-06-0115:03:46

www.ibm.com

ibm

app connect enterprise

certified container

security restriction bypass

node.js module vm2

vulnerability

patch

cve-2023-32313

upgrade

documentation

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS

0.001

Percentile

42.8%

JSON

Summary

Node.js module vm2 is used by IBM App Connect Enterprise Certified Container by the Box connector in designer flows. IBM App Connect Enterprise Certified Container IntegrationServer and IntegrationRuntime operands that run designer flows containing Box nodes are vulnerable to security restriction bypass. This bulletin provides patch information to address the reported vulnerability in Node.js module vm2. [CVE-2023-32313]

Vulnerability Details

CVEID:CVE-2023-32313
**DESCRIPTION:**Node.js vm2 module could allow a remote attacker to bypass security restrictions, caused by a flaw in the node inspect method. By sending a specially-crafted request, an attacker could exploit this vulnerability to edit options for console.log.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/255366 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	4.1
App Connect Enterprise Certified Container	4.2
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	5.1
App Connect Enterprise Certified Container	5.2
App Connect Enterprise Certified Container	6.0
App Connect Enterprise Certified Container	6.1
App Connect Enterprise Certified Container	6.2
App Connect Enterprise Certified Container	7.0
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0
App Connect Enterprise Certified Container	8.1

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 8.1.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 8.2.0 or higher, and ensure that all DesignerAuthoring, IntegrationServer and IntegrationRuntime components are at 12.0.8.0-r2 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.7 or higher, and ensure that all DesignerAuthoring and IntegrationServer components are at 12.0.8.0-r2-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch4.1

ibmapp_connect_enterpriseMatch4.2

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch5.1

ibmapp_connect_enterpriseMatch5.2

ibmapp_connect_enterpriseMatch6.0

ibmapp_connect_enterpriseMatch6.1

ibmapp_connect_enterpriseMatch6.2

ibmapp_connect_enterpriseMatch7.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

ibmapp_connect_enterpriseMatch8.1

VendorProductVersionCPE
ibmapp_connect_enterprise4.1cpe:2.3:a:ibm:app_connect_enterprise:4.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise4.2cpe:2.3:a:ibm:app_connect_enterprise:4.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.1cpe:2.3:a:ibm:app_connect_enterprise:5.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.2cpe:2.3:a:ibm:app_connect_enterprise:5.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.0cpe:2.3:a:ibm:app_connect_enterprise:6.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.1cpe:2.3:a:ibm:app_connect_enterprise:6.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.2cpe:2.3:a:ibm:app_connect_enterprise:6.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.0cpe:2.3:a:ibm:app_connect_enterprise:7.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	4.1	cpe:2.3:a:ibm:app_connect_enterprise:4.1:::::::*
ibm	app_connect_enterprise	4.2	cpe:2.3:a:ibm:app_connect_enterprise:4.2:::::::*
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	5.1	cpe:2.3:a:ibm:app_connect_enterprise:5.1:::::::*
ibm	app_connect_enterprise	5.2	cpe:2.3:a:ibm:app_connect_enterprise:5.2:::::::*
ibm	app_connect_enterprise	6.0	cpe:2.3:a:ibm:app_connect_enterprise:6.0:::::::*
ibm	app_connect_enterprise	6.1	cpe:2.3:a:ibm:app_connect_enterprise:6.1:::::::*
ibm	app_connect_enterprise	6.2	cpe:2.3:a:ibm:app_connect_enterprise:6.2:::::::*
ibm	app_connect_enterprise	7.0	cpe:2.3:a:ibm:app_connect_enterprise:7.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*