CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
65.4%
IBM App Connect Enterprise and IBM Integration Bus FTE nodes are vulnerable to an issue in IBM MQ Managed File Transfer where a local user can obtain sensitive information from diagnostic files and Apache Commons Net could allow a remote attack (CVE-2021-37533, CVE-2022-42436, CVE-2022-43919). The fix includes IBM MQ 9.2.0.10
CVEID:CVE-2021-37533
**DESCRIPTION:**Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusts the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-42436
**DESCRIPTION:**IBM MQ 8.0.0, 9.0.0, 9.1.0, 9.2.0, 9.3.0 Managed File Transfer could allow a local user to obtain sensitive information from diagnostic files. IBM X-Force ID: 238206.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238206 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2022-43919
**DESCRIPTION:**IBM MQ 9.2 CD, 9.2 LTS, 9.3 CD, and 9.3 LTS could allow an authenticated attacker with authorization to craft messages to cause a denial of service. IBM X-Force ID: 241354.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM App Connect Enterprise | 12.0.1.0 - 12.0.7.0 |
IBM App Connect Enterprise | 11.0.0.0 - 11.0.0.20 |
IBM Integration Bus | 10.1 |
IBM Integration Bus | 10.0.0.0 - 10.0.0.26 |
IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise & IBM Integration Bus
Product(s)
|
Version(s)
|
APAR
|
Remediation / Fix
—|—|—|—
IBM App Connect Enterprise
|
v12.0.1.0 - v12.0.7.0
|
IT43656
|
The APAR (IT43656) is available in Fix Pack 12.0.8.0
IBM App Connect Enterprise v12 - Fix Pack 12.0.8.0
IBM App Connect Enterprise
|
v11.0.0.0 -v11.0.0.20
|
IT43656
|
Interim fix for APAR (IT43656) is available to apply to 11.0.0.20 from
IBM Integration Bus
|
v10.1
|
IT43656
|
Interim fix for APAR (IT43656) is available to apply to 10.1 from
IBM Integration Bus
|
v10.0.0.0 -v10.0.0.26
|
IT43656
|
Interim fix for APAR (IT43656) is available to apply to 10.0.0.26 from
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | app_connect_enterprise | * | cpe:2.3:a:ibm:app_connect_enterprise:*:*:*:*:*:*:*:* |
ibm | integration_bus | 10.1 | cpe:2.3:a:ibm:integration_bus:10.1:*:*:*:*:*:*:* |
ibm | integration_bus | * | cpe:2.3:a:ibm:integration_bus:*:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
65.4%