Lucene search

IBMB1550F692956AA60D27317E486BD41D123BDC8B3FCFB04E954865C2FEA368C78

HistoryJun 30, 2023 - 2:07 p.m.

Security Bulletin: IBM App Connect Enterprise is vulnerable to a denial of service due to the Angular JS (CVE-2023-26116, CVE-2023-26117, CVE-2023-26118)

2023-06-3014:07:03

www.ibm.com

ibm app connect enterprise

angular js

denial of service

cve-2023-26116

cve-2023-26117

cve-2023-26118

fix pack

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

59.4%

JSON

Summary

The Discovery Connectors in IBM App Connect Enterprise are vulnerable to a denial of service due to the Angular JS (CVE-2023-26116, CVE-2023-26117, CVE-2023-26118). The fix removes Angular JS.

Vulnerability Details

CVEID:CVE-2023-26117
**DESCRIPTION:**AngularJS is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the $resource service. By providing specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251496 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-26118
**DESCRIPTION:**AngularJS is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the input[url] functionality. By providing specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251494 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-26116
**DESCRIPTION:**AngularJS is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the angular.copy() utility function. By providing specially-crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251497 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM App Connect Enterprise	12.0.1.0 - 12.0.8.0

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to****IBM App Connect Enterprise

Product(s)	Version(s)	APAR	Remediation / Fix
IBM App Connect Enterprise	12.0.1.0 - 12.0.8.0

IT43886

The APAR (IT43886) is available from

IBM App Connect Enterprise v12.0 - Fix Pack 12.0.9.0

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseRange12.0.1.0≥

ibmapp_connect_enterpriseRange≤12.0.8.0

CPENameOperatorVersion
ibm app connect enterprisege12.0.1.0
ibm app connect enterprisele12.0.8.0

CPE	Name	Operator	Version
	ibm app connect enterprise	ge	12.0.1.0
	ibm app connect enterprise	le	12.0.8.0

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

0.002 Low

EPSS

Percentile

59.4%

JSON

Related for B1550F692956AA60D27317E486BD41D123BDC8B3FCFB04E954865C2FEA368C78