Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.3781
Multiple vulnerabilities affect the IBM App Connect
Enterprise Toolkit and the IBM Integration Bus Toolkit
3 July 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit
Publisher: IBM
Operating System: Linux variants
Windows
Resolution: Patch/Upgrade
CVE Names: CVE-2023-26049 CVE-2022-40146 CVE-2022-38648
CVE-2022-38398 CVE-2022-29599 CVE-2022-2047
CVE-2021-28169 CVE-2021-28165 CVE-2020-27223
CVE-2020-13936 CVE-2020-10683 CVE-2019-0227
CVE-2018-8032 CVE-2015-1832 CVE-2014-3596
CVE-2012-5784 CVE-2010-2232 CVE-2009-4269
Original Bulletin:
https://www.ibm.com/support/pages/node/7001793
Comment: CVSS (Max): 9.8 CVE-2022-29599 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Multiple vulnerabilities affect the IBM App Connect
Enterprise Toolkit and the IBM Integration Bus Toolkit
Document Information
Document number : 7001793
Modified date : 30 June 2023
Product : IBM App Connect Enterprise
Component : -
Software version : TOOLKIT
Operating system(s): Linux
Windows
Security Bulletin
Summary
The IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit are
vulnerable, as per the CVEs listed in the Vulnerability Details section. These
vulnerabilities affect some development tasks in the product toolkit.
[CVE-2022-29599] and [CVE-2020-10683] only affect Test and Java projects if
they have been configured to be a Maven project. The resolving fix has been
provided in the Remediation Fixes table
Vulnerability Details
CVEID: CVE-2020-10683
DESCRIPTION: dom4j could allow a remote authenticated attacker to obtain
sensitive information, caused by an XML external entity (XXE) error when
processing XML data. By sending specially crafted XML data, a remote attacker
could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
181356 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-8032
DESCRIPTION: Apache Axis is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the default servlet/services. A
remote attacker could exploit this vulnerability using a specially-crafted URL
to execute script in a victim's Web browser within the security context of the
hosting Web site, once the URL is clicked. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
147823 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2014-3596
DESCRIPTION: Apache Axis and Axis2 could allow a remote attacker to conduct
spoofing attacks, caused by and incomplete fix related to the failure to verify
that the server hostname matches a domain name in the subject's Common Name
(CN) field of the X.509 certificate. By persuading a victim to visit a Web site
containing a specially-crafted certificate, an attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
95377 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2019-0227
DESCRIPTION: Apache Axis is vulnerable to server-side request forgery, caused
by an expired hard coded domain, used in a default example service named
StockQuoteService.jws. By using a man-in-the-middle attack to force an HTTP
request, a remote attacker could exploit this vulnerability to conduct an SSRF
attack, allowing the attacker to execute arbitrary code on the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159283 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2012-5784
DESCRIPTION: Apache Axis 1.4, as used in multiple products, could allow a
remote attacker to conduct spoofing attacks, caused by the failure to verify
that the server hostname matches a domain name in the subject's Common Name
(CN) field of the X.509 certificate. An attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof an SSL server and
launch further attacks against a vulnerable target.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
79829 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2021-28165
DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by
improper input valistion. By sending a specially-crafted TLS frame, a remote
attacker could exploit this vulnerability to cause CPU resources to reach to
100% usage.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
199305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-26049
DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to
obtain sensitive information, caused by a flaw during nonstandard cookie
parsing. By sending a specially crafted request to tamper with the cookie
parsing mechanism, an attacker could exploit this vulnerability to obtain
values from other cookies, and use this information to launch further attacks
against the affected system.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
253355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)
CVEID: CVE-2010-2232
DESCRIPTION: Apache Derby could allow a remote attacker to overwrite arbitrary
files, caused by a flaw in the Export functionality. An attacker could exploit
this vulnerability to overwrite arbitrary files on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
134130 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2015-1832
DESCRIPTION: Apache Derby could allow a remote attacker to obtain sensitive
information, caused by a XML external entity (XXE) error when processing XML
data by the XML datatype and XmlVTI. An attacker could exploit this
vulnerability to read arbitrary files on the system or cause a denial of
service.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
115625 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P)
CVEID: CVE-2009-4269
DESCRIPTION: Apache Derby could allow a remote attacker to obtain sensitive
information, caused by the reduction of the size of the set of inputs to SHA-1
by the password hash generation algorithm managed by the BUILTIN authentication
functionality. By generating hash collisions, a remote attacker could exploit
this vulnerability to crack passwords and obtain sensitive information.
CVSS Base score: 2.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
61202 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2021-28169
DESCRIPTION: Eclipse Jetty could allow a remote attacker to obtain sensitive
information, caused by a flaw in the ConcatServlet. By sending a
specially-crafted request using a doubly encoded path, an attacker could
exploit this vulnerability to obtain sensitive information from protected
resources within the WEB-INF directory, and use this information to launch
further attacks against the affected system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
203492 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2022-2047
DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to
bypass security restrictions, caused by a flaw in the HttpURI class. By sending
a specially-crafted request, an attacker could exploit this vulnerability to
the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly
interpreting an authority with no host as one with a host.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
230668 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2020-27223
DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by an
error when handling a request containing multiple Accept headers with a large
number of quality parameters. By sending a specially-crafted request, a remote
attacker could exploit this vulnerability to exhaust minutes of CPU time.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
197559 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2022-40146
DESCRIPTION: Apache Batik is vulnerable to server-side request forgery, caused
by a flaw in the DefaultScriptSecurity function. By sending a specially-crafted
request, an attacker could exploit this vulnerability to conduct SSRF attack to
access files using a Jar url.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236847 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2022-38648
DESCRIPTION: Apache Batik is vulnerable to server-side request forgery, caused
by a flaw when calling the fop function. By sending a specially-crafted
request, an attacker could exploit this vulnerability to conduct SSRF attack to
fetch external resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236846 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2022-38398
DESCRIPTION: Apache Batik is vulnerable to server-side request forgery, caused
by a flaw in the DefaultExternalResourceSecurity function. By sending a
specially-crafted request, an attacker could exploit this vulnerability to
conduct SSRF attack to load a url thru the jar protocol.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
236845 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2022-29599
DESCRIPTION: maven-shared-utils could allow a remote attacker to execute
arbitrary commands on the system, caused by the emission of double-quoted
strings without proper escaping by the Commandline class. By sending a
specially-crafted request, an attacker could exploit this vulnerability to
execute arbitrary commands on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
225489 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-13936
DESCRIPTION: Apache Velocity could allow a remote attacker to execute arbitrary
code on the system, caused by a sandbox bypass flaw. By modifying the Velocity
templates, an attacker could exploit this vulnerability to execute arbitrary
code with the same privileges as the account running the Servlet container.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
197993 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
+----------------------------------+--------------------+
|Affected Product(s) |Version(s) |
+----------------------------------+--------------------+
|IBM App Connect Enterprise Toolkit|12.0.1.0 - 12.0.8.0 |
+----------------------------------+--------------------+
|IBM App Connect Enterprise Toolkit|11.0.0.1 - 11.0.0.20|
+----------------------------------+--------------------+
|IBM Integration Bus Toolkit |10.1 |
+----------------------------------+--------------------+
Remediation/Fixes
IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate fix to IBM App Connect Enterprise and IBM Integration
Bus.
+------------------+-----------+-------+--------------------------------------+
|Affected Product |Version(s) |APAR |Remediation / Fix |
|(s) | | | |
+------------------+-----------+-------+--------------------------------------+
| | | |Interim fix for APAR (IT43697) is |
|IBM App Connect |12.0.1.0 - |IT43697|available to apply to 12.0.8.0 from |
|Enterprise Toolkit|12.0.8.0 | | |
| | | |IBM Fix Central |
+------------------+-----------+-------+--------------------------------------+
| | | |Interim fix for APAR (IT43697) is |
|IBM App Connect |11.0.0.1 - |IT43697|available to apply to 11.0.0.20 from |
|Enterprise Toolkit|11.0.0.20 | | |
| | | |IBM Fix Central |
+------------------+-----------+-------+--------------------------------------+
| | | |Interim fix for APAR (IT43697) is |
|IBM Integration |10.1 |IT43697|available to apply to 10.1 from |
|Bus Toolkit | | | |
| | | |IBM Fix Central |
+------------------+-----------+-------+--------------------------------------+
Workarounds and Mitigations
None
Acknowledgement
Change History
23 May 2023: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to
address potential vulnerabilities, IBM periodically updates the record of
components contained in our product offerings. As part of that effort, if IBM
identifies previously unidentified packages in a product/service inventory, we
address relevant vulnerabilities regardless of CVE date. Inclusion of an older
CVEID does not demonstrate that the referenced product has been used by IBM
since that date, nor that IBM was aware of a vulnerability as of that date. We
are making clients aware of relevant vulnerabilities as we become aware of
them. "Affected Products and Versions" referenced in IBM Security Bulletins are
intended to be only products and versions that are supported by IBM and have
not passed their end-of-support or warranty date. Thus, failure to reference
unsupported or extended-support products and versions in this Security Bulletin
does not constitute a determination by IBM that they are unaffected by the
vulnerability. Reference to one or more unsupported versions in this Security
Bulletin shall not create an obligation for IBM to provide fixes for any
unsupported or extended-support products or versions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZKIytMkNZI30y1K9AQhqlQ/7B9zCiYLptJuRQPRizKUHb4wHkVUYFqIZ
2odW78vHWUeS35/eIIWZahA1zBXkou1NDuOG+33+TbQhHp/7ELUUT8nydEOSNnT8
rWC7x0fct2HFSTzr338BgUHkU/FzK4tHMpe08G4tFCPGYY/s48mJYQME3/5gVU/O
XPLVDHFzXVTr0hnlQYaMvWME1h3MGbBd6vMZJSalGK7IkV5EzZnFJc40mfIsa3tE
tEhWesMAh0bV2KnYCK1RzP+yEomSUtQHg4uPjP8cklxjViw9qlko9nGx7PvsOfPa
qt6+Gcj8lFpJWeptlPrubl5HJ3ddZRYP7D3VEtguBgC3sop5799qdQd3jI6or0YC
I/mfWt72S/A/4f7kc2lR0k2Fi3wzezZAF4VoC3jtoitSeT6r1hKMIIhSYCeRBJAV
EJP+JPDzyY5zb297Lt7XM4+H4hpxNNAHDcxagzfmtM/mhd07RJ7vB9cr+XffCSO6
TNqrespyvhZddD7FDpA1cyeaC0Eais1Rd6+emAXuKdFahS7Saotuq57gx/DBhOFY
hDps8qg3nL0DuTZQcU7QNRlIrW65fU0+7REPMmA4Oq5gzgWBBg0RaUgy2eW9wUul
k/9uigC07r0SjcRpKgJ1sN+kveuBpPZyFeMWnmTBLeS/bSxl3UWN3x77wsG/uvhZ
GerDp3KxV4g=
=Xpgu
-----END PGP SIGNATURE-----