IBM App Connect Enterprise and IBM Integration Bus Vulnerabilities. CVE-2022-44906
IBM ACE and IBM Integration Bus Vulnerabilities, due to due to node.js minimist module, were announced:
IBM App Connect Enterprise and IBM Integration Bus are vulnerable to arbitrary code execution due to the node.js minimist module ( CVE-2022-44906). A mitigation has been provided for IBM Integration Bus. The latest fix packs for IBM App Connect Enterprise includes minimist 1.2.6 Vulnerability Details CVEID: CVE-2021-44906 DESCRIPTION: Node.js Minimist module could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution in setKey() function in the index.js script. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 5.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/222195 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) Remediation/Fixes IBM strongly recommends addressing the vulnerability/vulnerabilities now by applying the appropriate fix to IBM App Connect Enterprise Product(s) Version(s) APAR Remediation / Fix IBM Integration Bus see section Workarounds and Mitigations Workarounds and Mitigations IBM strongly recommends addressing the […]
Arbitrary code execution due to the node.js minimist module isn’t the only security and/or compliance concern for your Enterprise Messaging security. When assessing vulnerability risks you need to include an Inside-Out approach. Infrared360 can help you mitigate inside-out IBM Integration Bus vulnberabilities, ACE vulnerabilities, and all your middleware inside-out vulnerabilities – while giving your middleware team smarter, easier, tools for optimizing performance and meeting SLAs. Check out the information below or our Infrared360 overview.
Avada Software’s flagship product, Infrared360®, is an IT management portal providing total administration, monitoring, testing, auditing, analytics dashboards, and self-service for cloud, on-prem, or hybrid environments. Get secure, collaborative management of elements across your IT stack like Kafka®, IBM MQ™, IBM IIB™, TIBCO EMS™, WebSphere™, JBoss™, & Apache™, URLs, and SOAP & REST-based web services.
New IBM MQ Explorer Vulnerability A new IBM MQ Explorer vulnerability has been announced. MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack due to improper XML validation in the import Wizard. CVE(s): CVE-2022-22489 Affected product(s) and [...]
Ensure Data Availability and Integrity with the new IBM MQ Appliance, M2003 Thu, Aug 11, 2022 12:00 PM EDT SummaryThe IBM MQ Appliance M2003 brings together next-generation hardware and IBM MQ firmware, packed with the latest updates, to provide [...]
Posted 8/1/2022 on the IBM Support Page IBM MQ multi-instance and RDMQ require same userid for user 'mqm' and same groupid for group 'mqm' across nodes. Read this article to learn discrepancies with the file ownership when [...]
An IBM WebSphere Application Server Vulnerability has been addressed. CVE-2022-22476 On July 8, 2022, The National Vulnerability Database published that IBM WebSphere Application Server Liberty 126.96.36.199 through 188.8.131.52 and Open Liberty are vulnerable to identity spoofing by an authenticated [...]