Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.3300 Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2022-44906) 7 July 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Integration Bus Publisher: IBM Operating System: Linux variants AIX Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-44906 CVE-2021-44906 Original Bulletin: https://www.ibm.com/support/pages/node/6601101 Comment: CVSS (Max): 5.6 CVE-2021-44906 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to node.js minimist module ( CVE-2022-44906) Document Information Document number : 6601101 Modified date : 04 July 2022 Product : IBM Integration Bus Component : - Software version : - Operating system(s): Linux AIX Windows Summary IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to the node.js minimist module ( CVE-2022-44906). A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes minimist 1.2.6 Vulnerability Details CVEID: CVE-2021-44906 DESCRIPTION: Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 5.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 222195 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions +--------------------------+--------------------+ |Affected Product(s) |Version(s) | +--------------------------+--------------------+ |IBM App Connect Enterprise|12.0.1.0 - 12.0.3.0 | +--------------------------+--------------------+ |IBM App Connect Enterprise|11.0.0.0 - 11.0.0.17| +--------------------------+--------------------+ |IBM Integration Bus |10.0.0.0 - 10.0.0.26| +--------------------------+--------------------+ Remediation/Fixes IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise +----------------+-------------+-------+--------------------------------------+ |Product(s) |Version(s) |APAR |Remediation / Fix | +----------------+-------------+-------+--------------------------------------+ | | | |This APAR (IT41068) is available in | |IBM App Connect |12.0.1.0 - | |fix pack 12.0.4.0 | |Enterprise |12.0.3.0 |IT41332| | | | | |IBM App Connect Enterprise Version v12| | | | |- Fix Pack 12.0.4.0 | +----------------+-------------+-------+--------------------------------------+ | | | |This APAR is available in fix pack | |IBM App Connect |11.0.0.0 - | |11.0.0.18 | |Enterprise |11.0.0.17 |IT41332| | | | | |IBM App Connect Enterprise Version v11| | | | |- Fix Pack 11 .0.0.18 | +----------------+-------------+-------+--------------------------------------+ |IBM Integration | | |see section Workarounds and | |Bus | | |Mitigations | +----------------+-------------+-------+--------------------------------------+ Workarounds and Mitigations IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below For IBM Integration Bus v10 V10.0.0.24 -V10.0.0.26 users can disable node.js Refer to ' Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs ' Change History 27 Jun 2022: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYsaHackNZI30y1K9AQgDxQ//frVU81LZQwHSx9ugUu9Ii0bIo4W1BTCb BJCgaq3vmE/bzZ51+cbi0yVd2w82Vp8VVO81lAJqYjkM2Jt9U5OwHk6ixwLFkN47 5psvowi/aABafRHKyIPIYenHCNDkHZw7b+WnYEWT2VqOopdEI33UVHkrq5g1qjwa 8JjUfMu5W2f3rmIECzxMmTMFR6Ut4Imxhctaxn75dZNYOd96RK20AwrJHg0YzS6r Lul2pku414m8SvHRw+oK/JTpzTBKwg3IPtUhgOnh5LI9EsAYbL1ECjHw8FUBDvqH Y57lRdEn64J9unN7v01frD7VOxfL2VpfeipB2v9x5BqZVdblGQnGXDDd5sx2yEnf r/xiYJBAtoE7TfZA4zUAB/kvDI0Xsl2ox4X1LDvem05MwOsaCGFhrSXLi3ADVDg/ BR5kt7BSkanBelwhNIwpwPMz2iwsnZJDiHREi3+ZnjSTf1r6f/CNGPC1xI/OywK5 Ts+2JaRFD/a148SQIunnzElo3mfX4SDVQKQVXrD2jk9VG2rzANmu+IWRwNSrzI3u nLUBxRyYncdUWgicT98b3BFKiPQcuEqfPhnjuwC7W1ILByJa4M7r9RYan3k5mPrr usKtQM1+69fFKsrPz0L9Z72952m3sbeW0GtvoS/oj7C463F3Pux56LhcbIj2FFIJ Mb2mQkW66EI= =WjUo -----END PGP SIGNATURE-----