Lucene search

IBM8107BB155AFB4DEF24A8F7E9A5B84FB121DF87688100C00C435732A2636A741D

HistoryJun 10, 2022 - 4:27 p.m.

Security Bulletin: IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778)

2022-06-1016:27:32

www.ibm.com

ibm

app connect enterprise

integration bus

openssl

denial of service

cve-2022-0778

fix

version 10.0.0.0

version 11.0.0.17

version 12.0.4.0

it40404

it41068

vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.015

Percentile

87.3%

JSON

Summary

IBM App Connect Enterprise & IBM Integration Bus are vulnerable to a denial of service, due to OpenSSL (CVE-2022-0778). This affects the version of node.js and DataDirect ODBC driver shipped with IBM App Connect Enterprise and IBM Integration Bus. The fix includes OpenSSL 1.1.1n

Vulnerability Details

CVEID:CVE-2022-0778
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the BN_mod_sqrt() function when parsing certificates. By using a specially-crafted certificate with invalid explicit curve parameters, a remote attacker could exploit this vulnerability to cause an infinite loop, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221911 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)

Version(s)

—|—

IBM App Connect Enterprise

12.0.1.0 - 12.0.4.0

IBM App Connect Enterprise

11.0.0.0 - 11.0.0.17

IBM Integration Bus

10.0.0.0 - 10.0.0.26

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise 1. IT40404 addresses the DataDirect ODBC drivers which are affected by CVE-2022-0778

2. IT41068 addresses the version of node js which is affected by CVE-2022-0778

Product(s)

Version(s)

APAR

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

v12.0.1.0 - v12.0.4.0

IT40404

Interim fix for APAR (IT40404) for v12.0.4.0 is available from

IBM Fix Central

IBM App Connect Enterprise

v12.0.1.0 - v12.0.4.0

IT41068

Interim fix for APAR (IT41068) for v12.0.4.0 is available from

IBM Fix Central

IBM App Connect Enterprise

v11.0.0.0 - v11.0.0.17

IT40404

The APAR (IT40404) is available in fix pack 11.0.0.18

IBM App Connect Enterprise Version v11 - Fix Pack 11 .0.0.18

IBM App Connect Enterprise

v11.0.0.0 - v11.0.0.17

IT41068

This APAR (IT41068) is available in fix pack 11.0.0.18

IBM App Connect Enterprise Version v11 - Fix Pack 11 .0.0.18

IBM Integration Bus

v10.0.0.0 - v10.0.0.26

IT40404

Interim fix for APAR (IT40404) is available from

IBM Fix Central

IBM Integration Bus

v10.0.0.0 - v10.0.0.26

IT41068

see section Workarounds and Mitigations

Workarounds and Mitigations

For IBM Integration Bus v10 v10.0.0.0 - v10.0.0.26 users can disable node js.

Refer to ‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.4.0

ibmapp_connect_enterpriseRange11.0.0.0≥

ibmapp_connect_enterpriseRange≤11.0.0.17

ibmintegration_busRange10.0.0.0≥

ibmintegration_busRange≤10.0.0.26

VendorProductVersionCPE
ibmapp_connect_enterprise*cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:*
ibmintegration_bus*cpe:2.3:a:ibm:integration_bus:*:*:*:*:*:*:*:*