IBM85B5E095AD1C5CE340BECC59017F2922C3EFD2DEA1D1E4F06854486150C25770Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from openssl-libs, libssh, libarchive, sqlite and go-toolset
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.9%
Summary
Multiple issues were identified in Red Hat UBI packages openssl-libs, libssh, libarchive, sqlite and go-toolset that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images (CVE-2020-24736, CVE-2020-29652, CVE-2022-32189, CVE-2023-2283, CVE-2022-36227, CVE-2023-24538, CVE-2023-28642, CVE-2022-29162, CVE-2023-0465, CVE-2023-24534, CVE-2022-27664, CVE-2023-1667) IBM has addressed the vulnerabilities.
Vulnerability Details
CVEID:CVE-2020-24736
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by a buffer overflow in window functions. By using a specially crafted script, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253878 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-29652
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a NULL pointer dereference in the golang.org/x/crypto/ssh component. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/193622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-32189
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in Float.GobDecode and Rat GobDecode in math/big. By sending a specially-crafted message, a remote attacker could exploit this vulnerability to cause a panic.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/233149 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-2283
**DESCRIPTION:**libssh could allow a remote attacker to bypass security restrictions, caused by a memory allocation flaw in thepki_verify_data_signature function. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the authentication check of the connecting client.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/257617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2022-36227
**DESCRIPTION:**libarchive s vulnerable to a denial of service, caused by a NULL pointer dereference flaw due to not check for an error after calling calloc function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241187 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-24538
**DESCRIPTION:**Golang Go could allow a remote attacker to execute arbitrary code on the system, caused by the failure to properly consider backticks (`) as Javascript string delimiters. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252178 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-28642
**DESCRIPTION:**runc could allow a remote attacker to bypass security restrictions, caused by a symbolic link following vulnerability. By creating a symbolic link inside a container to the /proc directory, an attacker could exploit this vulnerability to bypass AppArmor and SELinux protections.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251539 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L)
CVEID:CVE-2022-29162
**DESCRIPTION:**Open Container Initiative runc could allow a local attacker to gain elevated privileges on the system, caused by an issue with runc exec --cap executed processes with non-empty inheritable Linux process capabilities. By executing specially-crafted programs, an attacker could exploit this vulnerability to gain elevated privileges.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/226393 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2023-0465
**DESCRIPTION:**OpenSSL could allow a remote attacker to bypass security restrictions, caused by a flaw when using a non-default option to verify certificates. By using invalid certificate policies in leaf certificates, an attacker could exploit this vulnerability to bypass policy checking.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/251293 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-24534
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an memory exhaustion in the common function in HTTP and MIME header parsing. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/252276 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-27664
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in net/http. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a closing HTTP/2 server connection to hang, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-1667
**DESCRIPTION:**libssh is vulnerable to a denial of service, caused by a NULL pointer dereference during rekeying with algorithm guessing. A remote authenticated attacker could exploit this vulnerability to cause the daemon to crash.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Operator |
**CD:**v2.4.0, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2, 2.3.0 - 2.3.3
LTS: v2.0.0 - 2.0.12
IBM supplied MQ Advanced container images|
CD: 9.2.0.1-r1-eus,
9.2.0.2-r1-eus, 9.2.0.2-r2-eus,
9.2.0.4-r1-eus,
9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus,
9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus,
9.2.3.0-r1,
9.2.4.0-r1,
9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3,
9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3,
9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4,
9.3.0.3-r1,
9.3.0.4-r1, 9.3.0.4-r2,
9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3,
9.3.0.6-r1,
9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3,
9.3.1.1-r1,
9.3.2.0-r1, 9.3.2.0-r2,
9.3.2.1-r1, 9.3.2.1-r2,
9.3.3.0-r1, 9.3.3.0-r2
**LTS:**9.2.0.1-r1-eus,
9.2.0.2-r1-eus, 9.2.0.2-r2-eus,
9.2.0.4-r1-eus,
9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus,
9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus,
9.2.3.0-r1,
9.2.4.0-r1,
9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3,
9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3,
9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4,
9.3.0.3-r1, 9.3.0.4-r1,
9.3.0.4-r2,
9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3
Remediation/Fixes
Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.4.1 CD release that included IBM supplied MQ Advanced 9.3.3.0-r2 container image and IBM MQ Operator v2.0.13 LTS release that included IBM supplied MQ Advanced 9.3.0.6-r1 container image.
IBM strongly recommends applying the latest container images.
**IBM MQ Operator 2.4.1 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.4.1
|
|
ibm-mqadvanced-server
|
9.3.3.0-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.3.0-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.3.0-r2
|
|
**IBM MQ Operator V2.0.13 LTS release details: **
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
2.0.13
|
|
ibm-mqadvanced-server
|
9.3.0.6-r1
|
|
ibm-mqadvanced-server-integration
|
9.3.0.6-r1
|
|
ibm-mqadvanced-server-dev
|
9.3.0.6-r1
|
|
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | ibm_mq_certified_container_software | 2.4.1 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.4.1:*:*:*:*:*:*:* |
| ibm | ibm_mq_certified_container_software | 2.0.13 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.0.13:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
81.9%