CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.0%
The IBM App Connect Enterprise Certified Container operator is written in Golang Go, as are parts of the ace-server application. IBM App Connect Enterprise Certified Container operator and operands are vulnerable to arbitrary code execution. This bulletin provides patch information to address the reported vulnerability in Golang Go. [CVE-2023-29402]
CVEID:CVE-2023-29402
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by the generation of unexpected code at build time when using cgo. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257652 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
App Connect Enterprise Certified Container | 4.1 |
App Connect Enterprise Certified Container | 4.2 |
App Connect Enterprise Certified Container | 5.0-lts |
App Connect Enterprise Certified Container | 5.1 |
App Connect Enterprise Certified Container | 5.2 |
App Connect Enterprise Certified Container | 6.0 |
App Connect Enterprise Certified Container | 6.1 |
App Connect Enterprise Certified Container | 6.2 |
App Connect Enterprise Certified Container | 7.0 |
App Connect Enterprise Certified Container | 7.1 |
App Connect Enterprise Certified Container | 7.2 |
App Connect Enterprise Certified Container | 8.0 |
App Connect Enterprise Certified Container | 8.1 |
App Connect Enterprise Certified Container | 8.2 |
App Connect Enterprise Certified Container | 9.0 |
IBM strongly suggests the following:
App Connect Enterprise Certified Container 4.1.x to 9.0.x (Continuous Delivery)
Upgrade to App Connect Enterprise Certified Container Operator version 9.1.0 or higher, and ensure that all components are at 12.0.9.0-r1 or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect/containers_cd?topic=releases-upgrading-operator>
App Connect Enterprise Certified Container 5.0 LTS (Long Term Support)
Upgrade to App Connect Enterprise Certified Container Operator version 5.0.9 or higher, and ensure that all components are at 12.0.9.0-r1-lts or higher. Documentation on the upgrade process is available at <https://www.ibm.com/docs/en/app-connect-contlts?topic=releases-upgrading-operator>
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | app_connect_enterprise | 4.1 | cpe:2.3:a:ibm:app_connect_enterprise:4.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 4.2 | cpe:2.3:a:ibm:app_connect_enterprise:4.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 5.0 | cpe:2.3:a:ibm:app_connect_enterprise:5.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 5.1 | cpe:2.3:a:ibm:app_connect_enterprise:5.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 5.2 | cpe:2.3:a:ibm:app_connect_enterprise:5.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 6.0 | cpe:2.3:a:ibm:app_connect_enterprise:6.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 6.1 | cpe:2.3:a:ibm:app_connect_enterprise:6.1:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 6.2 | cpe:2.3:a:ibm:app_connect_enterprise:6.2:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 7.0 | cpe:2.3:a:ibm:app_connect_enterprise:7.0:*:*:*:*:*:*:* |
ibm | app_connect_enterprise | 7.1 | cpe:2.3:a:ibm:app_connect_enterprise:7.1:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.0%