Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2023.3781 Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit 3 July 2023 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit Publisher: IBM Operating System: Linux variants Windows Resolution: Patch/Upgrade CVE Names: CVE-2023-26049 CVE-2022-40146 CVE-2022-38648 CVE-2022-38398 CVE-2022-29599 CVE-2022-2047 CVE-2021-28169 CVE-2021-28165 CVE-2020-27223 CVE-2020-13936 CVE-2020-10683 CVE-2019-0227 CVE-2018-8032 CVE-2015-1832 CVE-2014-3596 CVE-2012-5784 CVE-2010-2232 CVE-2009-4269 Original Bulletin: https://www.ibm.com/support/pages/node/7001793 Comment: CVSS (Max): 9.8 CVE-2022-29599 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: IBM Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple vulnerabilities affect the IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit Document Information Document number : 7001793 Modified date : 30 June 2023 Product : IBM App Connect Enterprise Component : - Software version : TOOLKIT Operating system(s): Linux Windows Security Bulletin Summary The IBM App Connect Enterprise Toolkit and the IBM Integration Bus Toolkit are vulnerable, as per the CVEs listed in the Vulnerability Details section. These vulnerabilities affect some development tasks in the product toolkit. [CVE-2022-29599] and [CVE-2020-10683] only affect Test and Java projects if they have been configured to be a Maven project. The resolving fix has been provided in the Remediation Fixes table Vulnerability Details CVEID: CVE-2020-10683 DESCRIPTION: dom4j could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 181356 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2018-8032 DESCRIPTION: Apache Axis is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the default servlet/services. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 147823 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2014-3596 DESCRIPTION: Apache Axis and Axis2 could allow a remote attacker to conduct spoofing attacks, caused by and incomplete fix related to the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 95377 for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVEID: CVE-2019-0227 DESCRIPTION: Apache Axis is vulnerable to server-side request forgery, caused by an expired hard coded domain, used in a default example service named StockQuoteService.jws. By using a man-in-the-middle attack to force an HTTP request, a remote attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to execute arbitrary code on the system. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 159283 for the current score. CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2012-5784 DESCRIPTION: Apache Axis 1.4, as used in multiple products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. An attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server and launch further attacks against a vulnerable target. CVSS Base score: 4.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 79829 for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVEID: CVE-2021-28165 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 199305 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2023-26049 DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system. CVSS Base score: 4.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 253355 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N) CVEID: CVE-2010-2232 DESCRIPTION: Apache Derby could allow a remote attacker to overwrite arbitrary files, caused by a flaw in the Export functionality. An attacker could exploit this vulnerability to overwrite arbitrary files on the system. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 134130 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2015-1832 DESCRIPTION: Apache Derby could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML datatype and XmlVTI. An attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service. CVSS Base score: 6.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 115625 for the current score. CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) CVEID: CVE-2009-4269 DESCRIPTION: Apache Derby could allow a remote attacker to obtain sensitive information, caused by the reduction of the size of the set of inputs to SHA-1 by the password hash generation algorithm managed by the BUILTIN authentication functionality. By generating hash collisions, a remote attacker could exploit this vulnerability to crack passwords and obtain sensitive information. CVSS Base score: 2.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 61202 for the current score. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N) CVEID: CVE-2021-28169 DESCRIPTION: Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw in the ConcatServlet. By sending a specially-crafted request using a doubly encoded path, an attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 203492 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2022-2047 DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the HttpURI class. By sending a specially-crafted request, an attacker could exploit this vulnerability to the HttpClient and ProxyServlet/AsyncProxyServlet/AsyncMiddleManServlet wrongly interpreting an authority with no host as one with a host. CVSS Base score: 2.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 230668 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N) CVEID: CVE-2020-27223 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused by an error when handling a request containing multiple Accept headers with a large number of quality parameters. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to exhaust minutes of CPU time. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197559 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2022-40146 DESCRIPTION: Apache Batik is vulnerable to server-side request forgery, caused by a flaw in the DefaultScriptSecurity function. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to access files using a Jar url. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 236847 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2022-38648 DESCRIPTION: Apache Batik is vulnerable to server-side request forgery, caused by a flaw when calling the fop function. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to fetch external resources. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 236846 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2022-38398 DESCRIPTION: Apache Batik is vulnerable to server-side request forgery, caused by a flaw in the DefaultExternalResourceSecurity function. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to load a url thru the jar protocol. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 236845 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2022-29599 DESCRIPTION: maven-shared-utils could allow a remote attacker to execute arbitrary commands on the system, caused by the emission of double-quoted strings without proper escaping by the Commandline class. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 225489 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-13936 DESCRIPTION: Apache Velocity could allow a remote attacker to execute arbitrary code on the system, caused by a sandbox bypass flaw. By modifying the Velocity templates, an attacker could exploit this vulnerability to execute arbitrary code with the same privileges as the account running the Servlet container. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 197993 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions +----------------------------------+--------------------+ |Affected Product(s) |Version(s) | +----------------------------------+--------------------+ |IBM App Connect Enterprise Toolkit|12.0.1.0 - 12.0.8.0 | +----------------------------------+--------------------+ |IBM App Connect Enterprise Toolkit|11.0.0.1 - 11.0.0.20| +----------------------------------+--------------------+ |IBM Integration Bus Toolkit |10.1 | +----------------------------------+--------------------+ Remediation/Fixes IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise and IBM Integration Bus. +------------------+-----------+-------+--------------------------------------+ |Affected Product |Version(s) |APAR |Remediation / Fix | |(s) | | | | +------------------+-----------+-------+--------------------------------------+ | | | |Interim fix for APAR (IT43697) is | |IBM App Connect |12.0.1.0 - |IT43697|available to apply to 12.0.8.0 from | |Enterprise Toolkit|12.0.8.0 | | | | | | |IBM Fix Central | +------------------+-----------+-------+--------------------------------------+ | | | |Interim fix for APAR (IT43697) is | |IBM App Connect |11.0.0.1 - |IT43697|available to apply to 11.0.0.20 from | |Enterprise Toolkit|11.0.0.20 | | | | | | |IBM Fix Central | +------------------+-----------+-------+--------------------------------------+ | | | |Interim fix for APAR (IT43697) is | |IBM Integration |10.1 |IT43697|available to apply to 10.1 from | |Bus Toolkit | | | | | | | |IBM Fix Central | +------------------+-----------+-------+--------------------------------------+ Workarounds and Mitigations None Acknowledgement Change History 23 May 2023: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBZKIytMkNZI30y1K9AQhqlQ/7B9zCiYLptJuRQPRizKUHb4wHkVUYFqIZ 2odW78vHWUeS35/eIIWZahA1zBXkou1NDuOG+33+TbQhHp/7ELUUT8nydEOSNnT8 rWC7x0fct2HFSTzr338BgUHkU/FzK4tHMpe08G4tFCPGYY/s48mJYQME3/5gVU/O XPLVDHFzXVTr0hnlQYaMvWME1h3MGbBd6vMZJSalGK7IkV5EzZnFJc40mfIsa3tE tEhWesMAh0bV2KnYCK1RzP+yEomSUtQHg4uPjP8cklxjViw9qlko9nGx7PvsOfPa qt6+Gcj8lFpJWeptlPrubl5HJ3ddZRYP7D3VEtguBgC3sop5799qdQd3jI6or0YC I/mfWt72S/A/4f7kc2lR0k2Fi3wzezZAF4VoC3jtoitSeT6r1hKMIIhSYCeRBJAV EJP+JPDzyY5zb297Lt7XM4+H4hpxNNAHDcxagzfmtM/mhd07RJ7vB9cr+XffCSO6 TNqrespyvhZddD7FDpA1cyeaC0Eais1Rd6+emAXuKdFahS7Saotuq57gx/DBhOFY hDps8qg3nL0DuTZQcU7QNRlIrW65fU0+7REPMmA4Oq5gzgWBBg0RaUgy2eW9wUul k/9uigC07r0SjcRpKgJ1sN+kveuBpPZyFeMWnmTBLeS/bSxl3UWN3x77wsG/uvhZ GerDp3KxV4g= =Xpgu -----END PGP SIGNATURE-----