An error was found within the IBM MQ and IBM MQ Appliance Command Server PCF logic that means an attacker can cause a denial of service attack by sending a specially crafted PCF message. Doing so will cause the Command Server to crash, which will prevent further administrative commands from being executed against queue managers.
CVEID: CVE-2019-4378 DESCRIPTION: IBM MQ command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162084> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
IBM WebSphere MQ V7.1
versions 7.1.0.0 - 7.1.0.9
IBM WepSphere MQ V7.5
versions 7.5.0.0 - 7.5.0.9
IBM MQ and IBM MQ Appliance V8
versions 8.0.0.0 - 8.0.0.12
IBM MQ V9.0LTS
versions 9.0.0.0 - 9.0.0.6
IBM MQ and IBM MQ Appliance V9.1 LTS
versions 9.1.0.0 - 9.1.0.2
IBM MQ and IBM MQ Appliance V9.1 CD
versions 9.1.0 - 9.1.2
IBM WebSphere MQ V7.1
Contact IBM Support requesting a fix for APAR IT29141
IBM WepSphere MQ V7.5
Contact IBM Support requesting a fix for APAR IT29141
IBM MQ and IBM MQ Appliance V8
IBM MQ V9.0LTS
IBM MQ and IBM MQ Appliance V9.1 LTS
Apply Fixpack 9.1.0.3
IBM MQ and IBM MQ Appliance V9.1 CD
Upgrade to IBM MQ 9.1.3
None