Critical ReDoS and SSRF ACE Vulnerabilities Addressed

By |Published On: November 20th, 2024|2 min read|
ACE vulnerabilities fixed
Table of Contents

Critical ReDoS and SSRF ACE Vulnerabilities Addressed in Latest Updates

IBM App Connect Enterprise (ACE) Certified Containers are a vital tool for enterprises seeking to modernize their integration processes. However, recent ACE vulnerabilities in the Node.js modules used by these containers have highlighted critical security risks, emphasizing the importance of timely updates and proactive monitoring.

What Are the Recent Vulnerabilities?

Two major vulnerabilities have been identified in IBM App Connect Enterprise Certified Containers:

  1. Axios Vulnerability – ReDoS Attack
    • IBM X-Force ID: 386108
    • Description: A flaw in the format method of the Node.js Axios module makes it vulnerable to ReDoS (Regular Expression Denial of Service) attacks. Attackers can exploit this by sending specially crafted regex inputs, resulting in a denial of service.
    • CWE-1333: Inefficient Regular Expression Complexity (https://cwe.mitre.org/data/definitions/1333.html)
    • CVSS Score: 7.5 (https://www.first.org/cvss/v3.1/specification-document)
  2. Multiple Node.js Module Vulnerabilities
    • CVE-2024-45590: A flaw in ExpressJS’s body-parser allows attackers to exploit resource consumption, causing a denial of service. More details at: https://cwe.mitre.org/data/definitions/405.html.
    • CVE-2024-39338: A vulnerability in Axios mishandles relative URLs, leading to server-side request forgery (SSRF). For more information, visit: https://cwe.mitre.org/data/definitions/918.html.
    • CVSS Score: Both vulnerabilities have a score of 7.5.

Versions Affected by These Vulnerabilities

The ACE vulnerabilities affect a range of IBM ACE Certified Container versions, including:

  • 5.0 LTS
  • 12.0 LTS
  • All Continuous Delivery (CD) versions up to 12.3.0

How to Mitigate These ACE Vulnerabilities

IBM recommends the following upgrades to address these App Connect Enterprise vulnerabilities:

  • Continuous Delivery (CD) Versions: Upgrade to ACE Certified Container Operator version 12.4.0 or higher, ensuring components are at 13.0.1.0-r1 or higher. Documentation.
  • 12.0 LTS Versions: Update to ACE Certified Container Operator version 12.0.5 or higher with components at 12.0.12-r5 or higher. Documentation.
  • 5.0 LTS Versions: Upgrade to ACE Certified Container Operator version 5.0.22 or higher, with components at 12.0.12.8-r1-lts or higher. Documentation.

The Role of Monitoring in Addressing ACE Vulnerabilities

While patching is critical, robust monitoring tools can help enterprises detect and prevent issues stemming from vulnerabilities. Avada Software’s Infrared360 provides advanced monitoring for IBM App Connect Enterprise, helping organizations maintain secure and efficient integration environments.

For actionable insights, check out Avada Software’s guide on Important KPIs for Effective ACE Monitoring.

Related App Connect Enterprise Vulnerabilities

Recent vulnerabilities, such as those exposing JMS credentials in IBM ACE, underscore the importance of layered defenses. Learn more about addressing these issues:

Strengthening Your Security Against ACE Vulnerabilities

Organizations leveraging IBM ACE Certified Containers must act quickly to address these vulnerabilities. Staying current with patches and updates ensures secure operations, while implementing monitoring tools like Infrared360 adds an extra layer of protection.

For more information on monitoring IBM ACE and addressing ACE vulnerabilities, visit Avada Software’s page on Managing IBM ACE.

More Infrared360® Resources

About the Author: Scott Treggiari

Go to Top