Security Bulletin: IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below.
Discription

## Summary

IBM Edge Application Manager 4.5.2 addresses the security vulnerabilities listed in the CVEs below.

## Vulnerability Details

** CVEID: **[CVE-2022-25883]()
** DESCRIPTION: **Node.js semver package is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the new Range function. By providing specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/258647]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

** CVEID: **[CVE-2023-28155]()
** DESCRIPTION: **Node.js Request module is vulnerable to server-side request forgery, caused by a cross-protocol redirect bypass flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to conduct SSRF attack.
CVSS Base score: 6.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/250386]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

** CVEID: **[CVE-2023-26115]()
** DESCRIPTION: **Node.js word-wrap module is vulnerable to a denial of service, caused by a regular expression denial of service (ReDoS) flaw in the result variable. By sending a specially crafted regex input, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/256901]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

** CVEID: **[CVE-2023-29827]()
** DESCRIPTION: **Node.js ejs module could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a server-side template injection flaw. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 5.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/254586]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)

** CVEID: **[CVE-2023-26136]()
** DESCRIPTION: **Salesforce tough-cookie could allow a remote attacker to execute arbitrary code on the system, caused by a prototype pollution flaw due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. By adding or modifying properties of Object.prototype using a __proto__ or constructor payload, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/259555]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

** IBM X-Force ID: **258323
** DESCRIPTION: **Apollo GraphQL Apollo Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Content Security Policies (CSP). A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: [https://exchange.xforce.ibmcloud.com/vulnerabilities/258323 ]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM Edge Application Manager| 4.5
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3
IBM Edge Application Manager| 4.5
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3
IBM Edge Application Manager| 4.5
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3
IBM Edge Application Manager| 4.5
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3
IBM Edge Application Manager| 4.5
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3
IBM Edge Application Manager| 4.5
IBM Edge Application Manager| 4.4
IBM Edge Application Manager| 4.3

## Remediation/Fixes

The fix/upgrade is a set of docker images, that will automatically be pulled and deployed from both dockerhub and the IBM Entitled Registry.

## Workarounds and Mitigations

None

##Read More

Back to Main

Subscribe for the latest news: