CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.5%
Issues were identified in Red Hat UBI packages libksba and sqlite that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
CVEID:CVE-2022-47629
**DESCRIPTION:**Libksba could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the CRL signature parser. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242850 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2022-35737
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by an array-bounds overflow. By sending C API with specially-crafted string argument, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232832 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | CD: 2.2.2 and prior releases |
LTS:2.0.7 and prior releases | |
IBM supplied MQ Advanced container images | 9.3.1.1-r1, 9.3.0.3-r1 and prior releases |
Issues listed by this security bulletin are addressed in IBM MQ Operator 2.3.0 CD release that included IBM supplied MQ Advanced 9.3.2.0-r1 container images and IBM MQ Operator 2.0.8 LTS release that included IBM supplied MQ Advanced 9.3.0.4-r1 container images.
IBM MQ Operator 2.3.0 CD release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.3.0 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:66d75b33c95d7e70a5e85622ebe61e4429a8a6511bac3f14f96d04c71cea79c7 |
ibm-mqadvanced-server | 9.3.2.0-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:ee03e66d7bd05969c86bfd20a580bf179486552b478a68379787ea7dc4b107a5 |
ibm-mqadvanced-server-integration | 9.3.2.0-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:872859970008904bd4918edec8e4449fa8c0ad2dce2a261c2d0ac0ffcf0deeb8 |
ibm-mqadvanced-server-dev | 9.3.2.0-r1 | icr.io | icr.io/ibm-messaging/mq@sha256:1495dc1c5af33829a69da82e56cf4d057177780177eb18d32d6e30c73218719c |
IBM MQ Operator 2.0.8 LTS release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.0.8 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:ed3f5f1e3f14fde5796c48e72fd6576e182831b70c1a7218661e4cc02a419573 |
ibm-mqadvanced-server | 9.3.0.4-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:65ce0bea1d22faaee92d815229c4b010b239078a4fa37c96573f485350f41064 |
ibm-mqadvanced-server-integration | 9.3.0.4-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:1ec485ddb8782303cf978c79b8d45ba130bcd00ba523ff83ef4b55342b3dedb0 |
ibm-mqadvanced-server-dev | 9.3.0.4-r1 | icr.io | icr.io/ibm-messaging/mq@sha256:83dd2715f462c9da6f0160b109f82b2bd29e7f175624b2dec40086fde384f571 |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_mq_certified_container_software | 2.3.0 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.3.0:*:*:*:*:*:*:* |
ibm | ibm_mq_certified_container_software | 2.0.8 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.0.8:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
71.5%