Lucene search

IBMB74865B3C9083B96E28DFE8116806EEAB796A5F19795CE6B4A75ED506C2E1E20

HistoryApr 28, 2023 - 11:44 a.m.

Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to [CVE-2022-38900]

2023-04-2811:44:02

www.ibm.com

ibm

app connect

enterprise

certified container

denial of service

node.js

decode-uri-component

vulnerability

cve-2022-38900

patch

7.5 cvss base score

4.1

4.2

5.0-lts

5.1

5.2

6.0

6.1

6.2

7.0

7.1

7.2

8.0

upgrade

8.1.0

5.0.6

12.0.8.0-r1

lts

long term support

mitigation

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.004

Percentile

73.2%

JSON

Summary

Node.js module decode-uri-component is part of the Node.js runtime used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerability in Node.js module decode-uri-component. [CVE-2022-38900]

Vulnerability Details

CVEID:CVE-2022-38900
**DESCRIPTION:**decode-uri-component is vulnerable to a denial of service, caused by improper input validation by the decodeComponents function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241069 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
App Connect Enterprise Certified Container	4.1
App Connect Enterprise Certified Container	4.2
App Connect Enterprise Certified Container	5.0-lts
App Connect Enterprise Certified Container	5.1
App Connect Enterprise Certified Container	5.2
App Connect Enterprise Certified Container	6.0
App Connect Enterprise Certified Container	6.1
App Connect Enterprise Certified Container	6.2
App Connect Enterprise Certified Container	7.0
App Connect Enterprise Certified Container	7.1
App Connect Enterprise Certified Container	7.2
App Connect Enterprise Certified Container	8.0

Remediation/Fixes

IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 8.0.x (Continuous Delivery)

Upgrade to App Connect Enterprise Certified Container Operator version 8.1.0 or higher, and ensure that all components are at 12.0.8.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>

App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)

Upgrade to App Connect Enterprise Certified Container Operator version 5.0.6 or higher, and ensure that all components are at 12.0.8.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmapp_connect_enterpriseMatch4.1

ibmapp_connect_enterpriseMatch4.2

ibmapp_connect_enterpriseMatch5.0

ibmapp_connect_enterpriseMatch5.1

ibmapp_connect_enterpriseMatch5.2

ibmapp_connect_enterpriseMatch6.0

ibmapp_connect_enterpriseMatch6.1

ibmapp_connect_enterpriseMatch6.2

ibmapp_connect_enterpriseMatch7.0

ibmapp_connect_enterpriseMatch7.1

ibmapp_connect_enterpriseMatch7.2

ibmapp_connect_enterpriseMatch8.0

VendorProductVersionCPE
ibmapp_connect_enterprise4.1cpe:2.3:a:ibm:app_connect_enterprise:4.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise4.2cpe:2.3:a:ibm:app_connect_enterprise:4.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.0cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.1cpe:2.3:a:ibm:app_connect_enterprise:5.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise5.2cpe:2.3:a:ibm:app_connect_enterprise:5.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.0cpe:2.3:a:ibm:app_connect_enterprise:6.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.1cpe:2.3:a:ibm:app_connect_enterprise:6.1:*:*:*:*:*:*:*
ibmapp_connect_enterprise6.2cpe:2.3:a:ibm:app_connect_enterprise:6.2:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.0cpe:2.3:a:ibm:app_connect_enterprise:7.0:*:*:*:*:*:*:*
ibmapp_connect_enterprise7.1cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	app_connect_enterprise	4.1	cpe:2.3:a:ibm:app_connect_enterprise:4.1:::::::*
ibm	app_connect_enterprise	4.2	cpe:2.3:a:ibm:app_connect_enterprise:4.2:::::::*
ibm	app_connect_enterprise	5.0	cpe:2.3:a:ibm:app_connect_enterprise:5.0:::::::*
ibm	app_connect_enterprise	5.1	cpe:2.3:a:ibm:app_connect_enterprise:5.1:::::::*
ibm	app_connect_enterprise	5.2	cpe:2.3:a:ibm:app_connect_enterprise:5.2:::::::*
ibm	app_connect_enterprise	6.0	cpe:2.3:a:ibm:app_connect_enterprise:6.0:::::::*
ibm	app_connect_enterprise	6.1	cpe:2.3:a:ibm:app_connect_enterprise:6.1:::::::*
ibm	app_connect_enterprise	6.2	cpe:2.3:a:ibm:app_connect_enterprise:6.2:::::::*
ibm	app_connect_enterprise	7.0	cpe:2.3:a:ibm:app_connect_enterprise:7.0:::::::*
ibm	app_connect_enterprise	7.1	cpe:2.3:a:ibm:app_connect_enterprise:7.1:::::::*