App Connect Enterprise Certified Container update for vm2
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-29017 |
| CWE-ID | CWE-913 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #1 is available. |
| Vulnerable software |
App Connect Enterprise Certified Container Server applications / Other server solutions |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Improper Control of Dynamically-Managed Code Resources
EUVDB-ID: #VU74606
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2023-29017
CWE-ID:
CWE-913 - Improper Control of Dynamically-Managed Code Resources
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to escape sandbox restrictions.
The vulnerability exists due to improper handling of host objects passed to "Error.prepareStackTrace" in case of unhandled async errors. A remote attacker can pass specially crafted input to the application, escape sandbox restrictions and execute arbitrary code on the host.
MitigationInstall update from vendor's website.
Vulnerable software versionsApp Connect Enterprise Certified Container: before 5.0.6
CPE2.3 External linkshttp://www.ibm.com/support/pages/node/6986625
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
