App Connect Enterprise Certified Container update for Node.js

Published: 2023-12-22

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-38552 CVE-2023-39333
CWE-ID	CWE-354 CWE-94
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	App Connect Enterprise Certified Container Server applications / Other server solutions
Vendor	IBM Corporation

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper validation of integrity check value

EUVDB-ID: #VU82069

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-38552

CWE-ID: CWE-354 - Improper Validation of Integrity Check Value

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error in the policy feature, which checks the integrity of a resource against a trusted manifest. An application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check.

Mitigation

Install update from vendor's website.

Vulnerable software versions

App Connect Enterprise Certified Container: before 5.0.13

CPE2.3

cpe:2.3:a:ibm_corporation:app_connect_enterprise_certified_container:*:*:*:*:*:*:*:*

External links

https://www.ibm.com/support/pages/node/7096717

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Code Injection

EUVDB-ID: #VU82070

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-39333

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')