SB2022101124 - Multiple vulnerabilities in IBM App Connect Enterprise and IBM Integration Bus

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2022-29244)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=`). Anyone who has run `npm pack` or `npm publish` inside a workspace, may be affected and have published files into the npm registry they did not intend to include.

2) Open redirect (CVE-ID: CVE-2022-33987)

The vulnerability allows a remote attacker to redirect victims to arbitrary URL.

The vulnerability exists due to requested URLs are not verified and allow open redirection to a local UNIX socket. A remote attacker can create a link that leads to a trusted website, however, when clicked, redirects the victim to arbitrary domain.

Successful exploitation of this vulnerability may allow a remote attacker to perform a phishing attack and steal potentially sensitive information.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-a-remote-authenticated-attacker-due-to-node-js-cve-2022-29244-cve-2022-33987/"
• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-a-remote-authenticated-attacker-due-to-node-js-cve-2022-29244-cve-2022-33987/</a><br>
• https://www.ibm.com/support/pages/node/6611979<br><br></p>