IBM App Connect Enterprise, Integration Bus, Engineering Test Management and Tivoli Network Manager are vulnerable. Admins should promptly install the versions that are protected against possible attacks.
Error cause XStream
IBM Engineering Test Management is a management solution, for example for software deployment. Attackers could exploit three vulnerabilities (CVE-2022-26258 “high“, CVE-2022-26259 “high“, CVE-2022-29505 “high“). If attacks on a vulnerability in the XStream Java library are successful, remote attackers could execute their own commands due to insufficient checking of user input.
In addition, files in the system can be deleted. On the other hand, the following expenses are covered:
- IBM Engineering Test Management 7.0.2 iFix008
- IBM Engineering Test Management 7.0.1 iFix012
- IBM Engineering Test Management 7.0 iFix013
- Rational Quality Manager 220.127.116.11 iFix020
- Rational Quality Manager 6.0.6 iFix024
With IBM Tivoli Network Manager one visualizes among other things the topology of networks. The application is vulnerable to four vulnerabilities. Of these, two are with the threat level “high” (CVE-2022-35516, CVE-2022-36090). If attackers foist a prepared TAR archive on victims, errors can occur when processing by the Apache Commons Compress compression library, which causes crashes (DoS).
The developers claim to have solved the problems in ITNM4.2 Fix Pack 15 (ie 18.104.22.168). The following builds are fixed:
malicious code attacks
With IBM App Connect Enterprise you transfer business information to multiple hardware and software platforms. IBM Integration Bus connects applications regardless of their message format or protocol. By sending a crafted request (CVE-2022-44906 “medium“) attackers could push malicious code onto systems and execute it.
IBM App Connect Enterprise Version v11 – Fix Pack 22.214.171.124 and IBM App Connect Enterprise Version v12 – Fix Pack 126.96.36.199 are protected against such attacks. IBM Integration Bus users must follow a workaround from an alert to protect systems.