Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.4059
Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are
vulnerable to a remote authenticated attacker due to Node.js
(CVE-2022-29244, CVE-2022-33987)
16 August 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM App Connect Enterprise
IBM Integration Bus
Publisher: IBM
Operating System: Linux variants
AIX
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2022-33987 CVE-2022-29244
Original Bulletin:
https://www.ibm.com/support/pages/node/6611979
Comment: CVSS (Max): 5.7 CVE-2022-29244 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote
authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987)
Document Information
Document number : 6611979
Modified date : 11 August 2022
Product : IBM App Connect Enterprise
Component : -
Software version : -
Operating system(s): Linux
AIX
Windows
Summary
IBM App Connect Enterprise and IBM Integration Bus ship with Node.js for which
vulnerabilities were reported and have been addressed by an ifix, a fixpack
release and an option to disable the node (CVE-2022-29244, CVE-2022-33987)
Vulnerability Details
CVEID: CVE-2022-29244
DESCRIPTION: Node.js npm module could allow a remote authenticated attacker to
obtain sensitive information, caused by an issue with ignoring root-level
.gitignore & .npmignore file exclusion directives when run in a workspace or
with a workspace flag. By sending a specially-crafted request using npm pack or
npm publish, an attacker could exploit this vulnerability to obtain sensitive
information, and use this information to launch further attacks against the
affected system.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
228303 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-33987
DESCRIPTION: Node.js got module could allow a remote attacker to bypass
security restrictions, caused by an unspecified. By sending a specially-crafted
request, an attacker could exploit this vulnerability to perform a redirect to
a UNIX socket.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
229246 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
+---------------------------------+-------------------------+
|Affected Product(s) |Version(s) |
+---------------------------------+-------------------------+
|IBM App Connect Enterprise |12.0.1.0 - 12.0.4.0 |
+---------------------------------+-------------------------+
|IBM App Connect Enterprise |11.0.0.0 - 11.0.0.18 |
+---------------------------------+-------------------------+
|IBM Integration Bus |10.0.0.0 - 10.0.0.26 |
+---------------------------------+-------------------------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise
+---------------+------------+-------+----------------------------------------+
|Product(s) |Version(s) |APAR |Remediation / Fix |
+---------------+------------+-------+----------------------------------------+
| | | |This APAR (IT41746) is available in fix |
|IBM App Connect|v12.0.1.0 - | |pack 12.0.5.0 |
|Enterprise |v12.0.4.0 |IT41746| |
| | | |IBM Integration Bus version v12 - Fix |
| | | |Pack 12.0.5.0 link |
+---------------+------------+-------+----------------------------------------+
| | | |Interim fix for APAR ( IT41746) is |
|IBM App Connect|v11.0.0.0 - | |available from |
|Enterprise |v11.0.0.18 |IT41746| |
| | | |IBM Fix Central link v11 - interim fix |
| | | |available to apply to 11.0.0.18 |
+---------------+------------+-------+----------------------------------------+
|IBM Integration|v10.0.0.0 - |n/a |see *Workarounds and Mitigations |
|Bus |v10.0.0.26 | | |
+---------------+------------+-------+----------------------------------------+
Workarounds and Mitigations
IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate action to IBM Integration Bus as outlined below
For IBM Integration Bus v10 v10.0.0.24 - v10.0.0.26 users can disable node js
Refer to
' Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix
packs '
Change History
09 Aug 2022: Initial Publication
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYvr9ZskNZI30y1K9AQj6+g//WUjmzFRdqbSiPYgbqU7dfVni3X0AEx2K
QritGcmDrrCFmd5oEqArnwo+9nzZCN1dGr/IjbbOOrIPSKQrJCQ2zbiyzFrvLn0d
SSC3X/SPhZGGUAWi6sWKbz01DjJZIST/jy30XJL7ED4XfWMF+hRRIvJCjgW24Ple
hdYFGkzJCJ7QmtYBE/JbK1EjPlg3q8lZoNBCUuVZz6wwpawusZAlH4+eGGxFMU1g
ZeZtEvTme3e8imzIK8FrRI9NDO1PXAYTzHIaZ86AT3M5LjvcG+lT5FLT6pF0fvso
WXBXbd9PVyDnZzB09tJSwJQpdL+ylExFDm7Ax5YFNsZ4Bqg2gC7zBNft8dAaZ7KW
HwE7ceYNjmUD6QUdUXJkF3EnGlqC4YdG3ULMzy3o5iocUYIqvUDZUoAT1B8XsfNz
Vb0jRP0bsSuCZ4bZRwSYSH86eBtfFcd3eBQSWvfaJ+vtIWGkdfqkAh+ykpJnkz4O
r7luC2Cscvlh5vUEdUVjfPEDLD8x3hJdd0292bWwgOMuDZQt9wskkZ9YABuCWW7X
42xi3Fi8Mb0vdgWpD6ctc/GPcGBeR6hmLwFwlZMEGAyt+hEKNcvYwDjPsE6r2Hso
VoLxYIjaJHtnzB/yStMeGG3moYaHy9nT9Pfl/ga0I0r18jVad2PlgPh12HKEKXna
PlYwBgBsMgU=
=Bw35
-----END PGP SIGNATURE-----