Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4059 Security Bulletin: IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987) 16 August 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM App Connect Enterprise IBM Integration Bus Publisher: IBM Operating System: Linux variants AIX Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-33987 CVE-2022-29244 Original Bulletin: https://www.ibm.com/support/pages/node/6611979 Comment: CVSS (Max): 5.7 CVE-2022-29244 (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- IBM App Connect Enterprise and IBM Integration Bus are vulnerable to a remote authenticated attacker due to Node.js (CVE-2022-29244, CVE-2022-33987) Document Information Document number : 6611979 Modified date : 11 August 2022 Product : IBM App Connect Enterprise Component : - Software version : - Operating system(s): Linux AIX Windows Summary IBM App Connect Enterprise and IBM Integration Bus ship with Node.js for which vulnerabilities were reported and have been addressed by an ifix, a fixpack release and an option to disable the node (CVE-2022-29244, CVE-2022-33987) Vulnerability Details CVEID: CVE-2022-29244 DESCRIPTION: Node.js npm module could allow a remote authenticated attacker to obtain sensitive information, caused by an issue with ignoring root-level .gitignore & .npmignore file exclusion directives when run in a workspace or with a workspace flag. By sending a specially-crafted request using npm pack or npm publish, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system. CVSS Base score: 5.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 228303 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N) CVEID: CVE-2022-33987 DESCRIPTION: Node.js got module could allow a remote attacker to bypass security restrictions, caused by an unspecified. By sending a specially-crafted request, an attacker could exploit this vulnerability to perform a redirect to a UNIX socket. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 229246 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +---------------------------------+-------------------------+ |Affected Product(s) |Version(s) | +---------------------------------+-------------------------+ |IBM App Connect Enterprise |12.0.1.0 - 12.0.4.0 | +---------------------------------+-------------------------+ |IBM App Connect Enterprise |11.0.0.0 - 11.0.0.18 | +---------------------------------+-------------------------+ |IBM Integration Bus |10.0.0.0 - 10.0.0.26 | +---------------------------------+-------------------------+ Remediation/Fixes IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM Integration Bus/IBM App Connect Enterprise +---------------+------------+-------+----------------------------------------+ |Product(s) |Version(s) |APAR |Remediation / Fix | +---------------+------------+-------+----------------------------------------+ | | | |This APAR (IT41746) is available in fix | |IBM App Connect|v12.0.1.0 - | |pack 12.0.5.0 | |Enterprise |v12.0.4.0 |IT41746| | | | | |IBM Integration Bus version v12 - Fix | | | | |Pack 12.0.5.0 link | +---------------+------------+-------+----------------------------------------+ | | | |Interim fix for APAR ( IT41746) is | |IBM App Connect|v11.0.0.0 - | |available from | |Enterprise |v11.0.0.18 |IT41746| | | | | |IBM Fix Central link v11 - interim fix | | | | |available to apply to 11.0.0.18 | +---------------+------------+-------+----------------------------------------+ |IBM Integration|v10.0.0.0 - |n/a |see *Workarounds and Mitigations | |Bus |v10.0.0.26 | | | +---------------+------------+-------+----------------------------------------+ Workarounds and Mitigations IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate action to IBM Integration Bus as outlined below For IBM Integration Bus v10 v10.0.0.24 - v10.0.0.26 users can disable node js Refer to ' Disabling Node.js in IBM Integration Bus 10.0.0.24 and subsequent v10.0 fix packs ' Change History 09 Aug 2022: Initial Publication - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYvr9ZskNZI30y1K9AQj6+g//WUjmzFRdqbSiPYgbqU7dfVni3X0AEx2K QritGcmDrrCFmd5oEqArnwo+9nzZCN1dGr/IjbbOOrIPSKQrJCQ2zbiyzFrvLn0d SSC3X/SPhZGGUAWi6sWKbz01DjJZIST/jy30XJL7ED4XfWMF+hRRIvJCjgW24Ple hdYFGkzJCJ7QmtYBE/JbK1EjPlg3q8lZoNBCUuVZz6wwpawusZAlH4+eGGxFMU1g ZeZtEvTme3e8imzIK8FrRI9NDO1PXAYTzHIaZ86AT3M5LjvcG+lT5FLT6pF0fvso WXBXbd9PVyDnZzB09tJSwJQpdL+ylExFDm7Ax5YFNsZ4Bqg2gC7zBNft8dAaZ7KW HwE7ceYNjmUD6QUdUXJkF3EnGlqC4YdG3ULMzy3o5iocUYIqvUDZUoAT1B8XsfNz Vb0jRP0bsSuCZ4bZRwSYSH86eBtfFcd3eBQSWvfaJ+vtIWGkdfqkAh+ykpJnkz4O r7luC2Cscvlh5vUEdUVjfPEDLD8x3hJdd0292bWwgOMuDZQt9wskkZ9YABuCWW7X 42xi3Fi8Mb0vdgWpD6ctc/GPcGBeR6hmLwFwlZMEGAyt+hEKNcvYwDjPsE6r2Hso VoLxYIjaJHtnzB/yStMeGG3moYaHy9nT9Pfl/ga0I0r18jVad2PlgPh12HKEKXna PlYwBgBsMgU= =Bw35 -----END PGP SIGNATURE-----