A denial of service vulnerability was discovered within the corosync library which is used by the RDQM feature of IBM MQ and the high availability feature of IBM MQ Appliance.
CVEID: CVE-2018-1084 DESCRIPTION: Corosync is vulnerable to a denial of service, caused by an integer overflow in exec/totemcrypto.c. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141586> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
IBM MQ and IBM MQ Appliance version 9.1 LTS
versions 9.1.0.0 - 9.1.0.2
IBM MQ and IBM MQ Appliance version 9.1 CD
versions 9.1.1 - 9.1.2
IBM MQ version 9.1 LTS
Apply ifix IT28745
IBM MQ version 9.1 CD
Apply ifix IT28745
IBM MQ Appliance version 9.1 LTS
Apply ifix IT28745, or later maintenance.
IBM MQ Appliance version 9.1 CD
Apply ifix IT28745, or later maintenance
IBM MQ RDQM is only affected when configured in a high availability (HA) group.
In most cases the IBM MQ Appliance is not affected by this issue. The exception
is when you have a high availability configuration in which the two appliances are
not directly connected (that is, they are remotely situated and connected by means of
a switch or similar).