IBM ACE and IBM Integration Bus Vulnerabilities, due to due to node.js minimist module, were announced:
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to the node.js minimist module ( CVE-2022-44906). A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes minimist 1.2.6 Vulnerability Details CVEID: CVE-2021-44906 DESCRIPTION: Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 5.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) Remediation/Fixes IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise Product(s) Version(s) APAR Remediation / Fix IBM Integration Bus see section Workarounds and Mitigations Workarounds and Mitigations IBM strongly recommends addressing the […]
Arbitrary code execution due to the node.js minimist module isn’t the only security and/or compliance concern for your Enterprise Messaging security. When assessing vulnerability risks you need to include an Inside-Out approach. Infrared360 can help you mitigate inside-out IBM Integration Bus vulnberabilities, ACE vulnerabilities, and all your middleware inside-out vulnerabilities – while giving your middleware team smarter, easier, tools for optimizing performance and meeting SLAs. Check out the information below or our Infrared360 overview.