CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
32.6%
When using the IBM Supplied MQ Advanced for Integration container image(ibm-mqadvanced-server-integration), all users authenticated with the cluster are granted administration access to the MQ Console, without checking IAM access rights. The MQ Console log will report following error - CWWKF0042E: A feature definition cannot be found for the bells-1.0 feature. Try running the command, bin/installUtility install bells-1.0, to install the feature.
CVEID:CVE-2023-26284
**DESCRIPTION:**IBM MQ Certified Container could allow authenticated users with the cluster to be granted administration access to the MQ console due to improper access controls.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248417 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|
IBM Supplied MQ Advanced Queue Manager Container images( ibm-mqadvanced-server-integration)
| 9.3.0.1-r1 till 9.3.0.1-r4(including), 9.3.0.3-r1, 9.3.1.0-r1 till v9.3.1.0-r3(including) and 9.3.1.1-r1
Issues listed by this security bulletin are addressed in IBM supplied MQ Advanced 9.3.2.0 container image for CD release and IBM supplied MQ Advanced 9.3.0.4 container image for LTS release.
IBM supplied MQ Advanced 9.3.2.0 container image for CD release:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mqadvanced-server-integration | 9.3.2.0-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:872859970008904bd4918edec8e4449fa8c0ad2dce2a261c2d0ac0ffcf0deeb8 |
IBM supplied MQ Advanced 9.3.0.4 container image for LTS release:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mqadvanced-server-integration | 9.3.0.4-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:1ec485ddb8782303cf978c79b8d45ba130bcd00ba523ff83ef4b55342b3dedb0 |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_mq_certified_container_software | 9.3.2.0 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:9.3.2.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
32.6%