SB2022070501 - Multiple vulnerabilities in IBM App Connect Enterprise and IBM Integration Bus

Description

This security bulletin contains information about 2 vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2021-44906)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.

2) Resource exhaustion (CVE-ID: CVE-2022-44906)

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to prototype pollution in setKey() function in the index.js script. A remote attacker can send a specially-crafted request to exploit the vulnerability and execute arbitrary code on the system.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-and-ibm-integration-bus-are-vulnerable-to-arbitrary-code-execution-due-to-node-js-minimist-module-cve-2022-44906/
• https://www.ibm.com/support/pages/node/6601101