SB2022070501 - Multiple vulnerabilities in IBM App Connect Enterprise and IBM Integration Bus
Published: July 5, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Resource exhaustion (CVE-ID: CVE-2021-44906)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
2) Resource exhaustion (CVE-ID: CVE-2022-44906)
The vulnerability allows a remote attacker to execute arbitrary code on the system.
The vulnerability exists due to prototype pollution in setKey() function in the index.js script. A remote attacker can send a specially-crafted request to exploit the vulnerability and execute arbitrary code on the system.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-node-js-minimist-module-cve-2022-44906/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-node-js-minimist-module-cve-2022-44906/</a><br><a
- https://www.ibm.com/support/pages/node/6601101"
- https://www.ibm.com/support/pages/node/6601101</a><br><br><br></p>