IBM App Connect Enterprise v11 ships with Node.js for which vulnerabilities were reported and have been addressed. Vulnerability details are listed below.
CVEID:CVE-2021-23358
**DESCRIPTION:**Node.js underscore module could allow a remote attacker to execute arbitrary code on the system, caused by a flaw in the template function. By sending a specially-crafted argument using the variable property, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/198958 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM App connect Enterprise V11 , V11.0.0.0 - V11.0.0.12
Product
|
VRMF
| APAR|
Remediation / Fix
—|—|—|—
IBM App Connect Enterprise| V11.0.0.0-V11.0.0.12| IT36988|
The APAR is available in fix pack 11.0.0.13
IBM App Connect Enterprise Version V11-Fix Pack 11.0.0.13
For IBM Integration Bus v10 V10.0.0.24 users can disable node js. Refer to
‘Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs’