Security Bulletin: IBM MQ RDQM and IBM MQ Appliance are vulnerable to a denial of service attack (CVE-2018-1084)

Summary

A denial of service vulnerability was discovered within the corosync library which is used by the RDQM feature of IBM MQ and the high availability feature of IBM MQ Appliance.

Vulnerability Details

CVEID: CVE-2018-1084 DESCRIPTION: Corosync is vulnerable to a denial of service, caused by an integer overflow in exec/totemcrypto.c. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/141586&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM MQ and IBM MQ Appliance version 9.1 LTS

versions 9.1.0.0 - 9.1.0.2

IBM MQ and IBM MQ Appliance version 9.1 CD

versions 9.1.1 - 9.1.2

Remediation/Fixes

IBM MQ version 9.1 LTS

Apply ifix IT28745

IBM MQ version 9.1 CD

Apply ifix IT28745

IBM MQ Appliance version 9.1 LTS

Apply ifix IT28745, or later maintenance.

IBM MQ Appliance version 9.1 CD

Apply ifix IT28745, or later maintenance

Workarounds and Mitigations

IBM MQ RDQM is only affected when configured in a high availability (HA) group.

In most cases the IBM MQ Appliance is not affected by this issue. The exception
is when you have a high availability configuration in which the two appliances are
not directly connected (that is, they are remotely situated and connected by means of
a switch or similar).