Summary IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js. This bulletin identifies the steps to take to address the vulnerability. Vulnerability Details ** CVEID: CVE-2024-21892 DESCRIPTION: **Node.js could allow a local authenticated attacker to gain elevated privileges on the system, caused by a bug in the implementation of the exception of CAP_NET_BIND_SERVICE. An attacker could exploit this vulnerability to inject code that inherits the process's elevated privileges. CVSS Base score: 7.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282986 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) ** CVEID: CVE-2024-22019 DESCRIPTION: **Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension. By sending a specially crafted HTTP request, an attacker could exploit this vulnerability to exhaust all available resources. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/282988 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: CVE-2023-46809 DESCRIPTION: **Node.js could allow a remote attacker to obtain sensitive information, caused by a vulnerability in the privateDecrypt() API of the crypto library. An attacker could exploit this vulnerability to conduct a covert timing side-channel during PKCS#1 v1.5…Read More
Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js.
