Operating System:

[WIN][LINUX][AIX]

Published:

28 September 2022

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2022.4800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.4800
Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM
              App Connect Enterprise and IBM Integration Bus
                             28 September 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM App Connect Enterprise
                   IBM Integration Bus
Publisher:         IBM
Operating System:  Windows
                   Linux variants
                   AIX
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-21496 CVE-2022-21443 CVE-2022-21434
                   CVE-2022-21299 CVE-2021-35561 

Original Bulletin: 
   https://www.ibm.com/support/pages/node/6824141

Comment: CVSS (Max):  5.3 CVE-2022-21496 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
         CVSS Source: IBM
         Calculator:  https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

- --------------------------BEGIN INCLUDED TEXT--------------------

Multiple vulnerabilities in IBM Java Runtime affect IBM App Connect Enterprise
and IBM Integration Bus

Document Information

Document number    : 6824141
Modified date      : 27 September 2022
Product            : IBM App Connect Enterprise
Software version   : -
Operating system(s): Windows
                     Linux
                     AIX
Edition            : -

Summary

There are multiple vulnerabilities in IBM SDK Java Technology Edition used by
IBM App Connect Enterprise and IBM Integration Bus. These issues were disclosed
as part of the IBM SDK, Java Technology Edition Quarterly CPU - Apr 2022
(includes Oracle April 2022 CPU). The fix includes IBM Java SDK 8.0.7.11

Vulnerability Details

CVEID: CVE-2021-35561
DESCRIPTION: An unspecified vulnerability in Java SE related to the Utility
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
211637 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2022-21299
DESCRIPTION: An unspecified vulnerability in Java SE related to the JAXP
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
217594 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2022-21496
DESCRIPTION: An unspecified vulnerability in Java SE related to the JNDI
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
224777 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2022-21434
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause no confidentiality
impact, low integrity impact, and no availability impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
224718 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2022-21443
DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries
component could allow an unauthenticated attacker to cause a denial of service
resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
224726 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

+--------------------------+--------------------+
|Affected Product(s)       |Version(s)          |
+--------------------------+--------------------+
|IBM App Connect Enterprise|12.0.1.0 - 12.0.5.0 |
+--------------------------+--------------------+
|IBM App Connect Enterprise|11.0.0.0 - 11.0.0.18|
+--------------------------+--------------------+
|IBM Integration Bus       |10.0.0.0 - 10.0.0.26|
+--------------------------+--------------------+

Remediation/Fixes

IBM strongly recommends addressing the vulnerability/vulnerabilities now by
applying the appropriate fix to IBM App Connect Enterprise and IBM Integration
Bus

+----------------+--------------+-------+-------------------------------------+
|Product(s)      |Version(s)    |APAR   |Remediation / Fix                    |
+----------------+--------------+-------+-------------------------------------+
|                |              |       |The APAR (IT41711) is available in   |
|IBM App Connect |v12.0.1.0 -   |IT41711|fixpack 12.0.6.0                     |
|Enterprise      |v12.0.5.0     |       |                                     |
|                |              |       |IBM App Connect Enterprise -12.0.6.0 |
+----------------+--------------+-------+-------------------------------------+
|                |              |       |The APAR (IT41711) is available in   |
|IBM App Connect |v11.0.0.0 -   |IT41711|fixpack 11.0.0.19                    |
|Enterprise      |v11.0.0.18    |       |                                     |
|                |              |       |IBM App Connect Enterprise -11.0.0.19|
+----------------+--------------+-------+-------------------------------------+
|                |              |       |Interim fix for APAR (IT41711) is    |
|IBM Integration |v10.0.0.0 -   |       |available from                       |
|Bus             |v10.0.0.26    |IT41711|                                     |
|                |              |       |IBM Fix Central - Interim fix        |
|                |              |       |available to apply to 10.0.0.26      |
+----------------+--------------+-------+-------------------------------------+

Workarounds and Mitigations

none

Change History

24 Aug 2022: Initial Publication

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYzO5dckNZI30y1K9AQi+Yg/+NzX+qaA3WtrW1DLwaXdygejziX3+K94Z
LZlPyPCSU3fh14X8v96JXpH0gG3vpP6yzd6yYeWZXOvG075ZMS4UTAlql4M8lSjE
5r3JDLJzM8+oy07EcmiOo0cmAygRXzUPDpi1ynC/jiYc4YkqQlQAPjGkk5ZUgEcb
wumi4wyiDTeXVe0GOzEQ55LtdHHCeLtOFB+/E1GYP1dHoSZ8esJJr/i9EbRil3zY
1XkIpo+trVP9UqyaEIwF2ILsX2J1UqaS+nkt+Gl6jfVhgDE2UFWVDSHrgCndypn1
v6eN8JjqlhlfzdsQHuV/LrL1e/9P/fgCBAZdrJSviGWEDeoB3RitbanEn1JRyreI
FCQkDNm0ANAN851BtRwx6uIc/zye+KC4KML6VZGbKC+SmmW6ZeVoBicIy812s6Fn
1f8IeILpNsLYnXDSi4ucyWnz9Kne/FFC8EZEzPDkCMoT32/q/dH/O7ZD8cVg7dxs
mzWmZV5Db0h9jl/UnF6GFgWY+FWr0giIiJUtHNnU/Q4rjWwtNcK+vFtYBl6+Jgeb
Yl0qo1MK/KV1vb6g+cY/iWz0NfsiIfMySCiqdBdJY3GxnN2CBHN4TpaEy7Mv5ro7
y0+pDfsZC8FFXMLmNCo7BBZnOhjL4RUCHaYOWH3qnjaipqaZ1Ekj9S28MyfHTn1S
fsMcCsyUFio=
=lRPG
-----END PGP SIGNATURE-----