Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.3300
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are
vulnerable to arbitrary code execution due to node.js
minimist module ( CVE-2022-44906)
7 July 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Integration Bus
Publisher: IBM
Operating System: Linux variants
AIX
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-44906 CVE-2021-44906
Original Bulletin:
https://www.ibm.com/support/pages/node/6601101
Comment: CVSS (Max): 5.6 CVE-2021-44906 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary
code execution due to node.js minimist module ( CVE-2022-44906)
Document Information
Document number : 6601101
Modified date : 04 July 2022
Product : IBM Integration Bus
Component : -
Software version : -
Operating system(s): Linux
AIX
Windows
Summary
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary
code execution due to the node.js minimist module ( CVE-2022-44906). A
mitigation has been provided for IBM Integration Bus. The latest fix packs for
IBM App Connect Enterprise includes minimist 1.2.6
Vulnerability Details
CVEID: CVE-2021-44906
DESCRIPTION: Node.js Minimist module could allow a remote attacker to execute
arbitrary code on the system, caused by a prototype pollution in setKey()
function in the index.js script. By sending a specially-crafted request, an
attacker could exploit this vulnerability to execute arbitrary code on the
system.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
222195 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
+--------------------------+--------------------+
|Affected Product(s) |Version(s) |
+--------------------------+--------------------+
|IBM App Connect Enterprise|12.0.1.0 - 12.0.3.0 |
+--------------------------+--------------------+
|IBM App Connect Enterprise|11.0.0.0 - 11.0.0.17|
+--------------------------+--------------------+
|IBM Integration Bus |10.0.0.0 - 10.0.0.26|
+--------------------------+--------------------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate fix to IBM App Connect Enterprise
+----------------+-------------+-------+--------------------------------------+
|Product(s) |Version(s) |APAR |Remediation / Fix |
+----------------+-------------+-------+--------------------------------------+
| | | |This APAR (IT41068) is available in |
|IBM App Connect |12.0.1.0 - | |fix pack 12.0.4.0 |
|Enterprise |12.0.3.0 |IT41332| |
| | | |IBM App Connect Enterprise Version v12|
| | | |- Fix Pack 12.0.4.0 |
+----------------+-------------+-------+--------------------------------------+
| | | |This APAR is available in fix pack |
|IBM App Connect |11.0.0.0 - | |11.0.0.18 |
|Enterprise |11.0.0.17 |IT41332| |
| | | |IBM App Connect Enterprise Version v11|
| | | |- Fix Pack 11 .0.0.18 |
+----------------+-------------+-------+--------------------------------------+
|IBM Integration | | |see section Workarounds and |
|Bus | | |Mitigations |
+----------------+-------------+-------+--------------------------------------+
Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate action to IBM Integration Bus as outlined below
For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node.js
Refer to ' Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent
v10.0 fix packs '
Change History
27 Jun 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYsaHackNZI30y1K9AQgDxQ//frVU81LZQwHSx9ugUu9Ii0bIo4W1BTCb
BJCgaq3vmE/bzZ51+cbi0yVd2w82Vp8VVO81lAJqYjkM2Jt9U5OwHk6ixwLFkN47
5psvowi/aABafRHKyIPIYenHCNDkHZw7b+WnYEWT2VqOopdEI33UVHkrq5g1qjwa
8JjUfMu5W2f3rmIECzxMmTMFR6Ut4Imxhctaxn75dZNYOd96RK20AwrJHg0YzS6r
Lul2pku414m8SvHRw+oK/JTpzTBKwg3IPtUhgOnh5LI9EsAYbL1ECjHw8FUBDvqH
Y57lRdEn64J9unN7v01frD7VOxfL2VpfeipB2v9x5BqZVdblGQnGXDDd5sx2yEnf
r/xiYJBAtoE7TfZA4zUAB/kvDI0Xsl2ox4X1LDvem05MwOsaCGFhrSXLi3ADVDg/
BR5kt7BSkanBelwhNIwpwPMz2iwsnZJDiHREi3+ZnjSTf1r6f/CNGPC1xI/OywK5
Ts+2JaRFD/a148SQIunnzElo3mfX4SDVQKQVXrD2jk9VG2rzANmu+IWRwNSrzI3u
nLUBxRyYncdUWgicT98b3BFKiPQcuEqfPhnjuwC7W1ILByJa4M7r9RYan3k5mPrr
usKtQM1+69fFKsrPz0L9Z72952m3sbeW0GtvoS/oj7C463F3Pux56LhcbIj2FFIJ
Mb2mQkW66EI=
=WjUo
-----END PGP SIGNATURE-----