IBM has released security updates for its App Connect Enterprise platform, addressing two critical vulnerabilities that could allow attackers to bypass login protections under specific configurations.
The flaws, identified as CVE-2024-48948 and CVE-2024-48949, both rated as high severity, reside in the Elliptic module of Node.js used for signature verification. According to IBM, these vulnerabilities only affect systems utilizing COS S3 Storage, where attackers could submit specially crafted hash requests to circumvent security controls and gain unauthorized access.
In some cases, valid signatures may as well be incorrectly flagged as untrustworthy during an attack, potentially disrupting legitimate operations.
IBM confirmed that the issues have been resolved in App Connect Enterprise Certified Container version 11.6.0 (Continuous Delivery). Administrators are advised to ensure all dashboard components are updated to at least version 12.0.12.2-r1.
While the App Connect Enterprise Certified Container 12.0 LTS release is not believed to be affected, IBM recommends keeping dashboard components current. The 5.0 LTS version, specifically 5.0.18, includes the necessary protections against these threats.
To date, IBM has not detected any active exploitation of these vulnerabilities in the wild, and there is no publicly available guidance on identifying compromised systems.
The updates underscore the importance of maintaining up-to-date integration middleware, particularly in hybrid cloud environments where secure data processing across platforms is essential for enterprise operations.
