Lucene search

IBMA21A9AA5A92BBB498B6ADBBF2B26441538C17AA502C6542471689231C32AB502

HistoryFeb 15, 2023 - 6:22 p.m.

Security Bulletin: IBM App Connect Enterprise is affected by a remote attacker due to the zip4j library [CVE-2023-22899]

2023-02-1518:22:01

www.ibm.com

ibm

app connect enterprise

zip4j library

vulnerability

cve-2023-22899

remediation

ibm fix central

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

50.9%

JSON

Summary

IBM App Connect Enterprise Transformation Advisor tool is affected by a remote attacker due to the zip4j library [CVE-2023-22899]. The resolving ifix includes zip4j v2.11.3.

Vulnerability Details

CVEID:CVE-2023-22899
**DESCRIPTION:**Zip4j could provide weaker than expected security, caused by not always check the MAC when decrypting a ZIP archive. An attacker could exploit this vulnerability to launch further attacks on the system
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/244315 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.7.0
IBM App Connect Enterprise	11.0.0.0 - 11.0.0.20

Remediation/Fixes

**
IBM strongly recommends addressing the vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise**

Product(s)

Version(s)

APAR

Remediation / Fix

—|—|—|—

IBM App Connect Enterprise

v12.0.1.0 - v12.0.7.0

IT42906

Interim fix for APAR (IT42906) is available from

IBM Fix Central

IBM App Connect Enterprise

v11.0.0.0 - v11.0.0.20

| IT42906|

Interim fix for APAR (IT42906) is available from

IBM Fix Central

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.7.0

ibmapp_connect_enterpriseRange11.0.0.0≥

ibmapp_connect_enterpriseRange≤11.0.0.20

VendorProductVersionCPE
ibmapp_connect_enterprise*cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	*	cpe:2.3:a:ibm:app_connect_enterprise::::::::

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

50.9%

JSON

Related for A21A9AA5A92BBB498B6ADBBF2B26441538C17AA502C6542471689231C32AB502