CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.5%
Multiple issues were identified in Red Hat UBI (ubi8/ubi-minimal) v8.6-x packages krb5 and e2fsprogs that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. These vulnerabilities have been addressed and now shipped with Red Hat UBI (ubi8/ubi-minimal) v8.7-x
CVEID:CVE-2022-42898
**DESCRIPTION:**MIT krb5 is vulnerable to a denial of service, caused by an integer overflow in PAC parsing in the krb5_parse_pac() function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a KDC or kadmind process to crash.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240238 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L)
CVEID:CVE-2022-1304
**DESCRIPTION:**e2fsprogs could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read/write vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a segmentation fault.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224602 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | CD: 2.2.0 and prior releases |
LTS: 2.0.5 and prior releases | |
IBM supplied MQ Advanced container images | 9.3.0.1-r3 , 9.3.1.0-r2 and prior releases. |
Issues listed by this security bulletin are addressed in IBM MQ Operator 2.2.1 CD release that included IBM supplied MQ Advanced 9.3.1.0-r3 container images and IBM MQ Operator 2.0.6 LTS release that included IBM supplied MQ Advanced 9.3.0.1-r4 container images.
IBM MQ Operator 2.2.1 CD release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.2.1 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:db0bd02f14ab6002eec3542978edddb18ae91d7bff36fbfab95fd6b0357ca8ab |
ibm-mqadvanced-server | 9.3.1.0-r3 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:cb51bb5233ec211bbe9b428a6e03e8cb08709f6da578f9c6d017736702bab9d2 |
ibm-mqadvanced-server-integration | 9.3.1.0-r3 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:966d870d250c59aede758f9ec88ff8260642161b342b51c4dd02927919a9eeb0 |
ibm-mqadvanced-server-dev | 9.3.1.0-r3 | icr.io | icr.io/ibm-messaging/mq@sha256:fb4932d61046fc52bd5016e251998c9f2cd522b74b2e144e3aac1556cf50545c |
IBM MQ Operator 2.0.6 LTS release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.0.6 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:5349ef3fabccccb8b18d3a4c7fd179f38781eb7a906498134c8fbb7bdaa46f54 |
ibm-mqadvanced-server | 9.3.0.1-r4 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:a4030bccc89d18654329a033fe36bfbb52043d6990fff9aabed0c1a4bc2708ce |
ibm-mqadvanced-server-integration | 9.3.0.1-r4 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:5f6a9b6c5fe285f32db5ccb39ffa3098b6bd1f8783f537bfae68e68f07ed9a57 |
ibm-mqadvanced-server-dev | 9.3.0.1-r4 | icr.io | icr.io/ibm-messaging/mq@sha256:1823acd88716c23a63c338004fc1ba2f33cd636631850f5efc75a596ceffe5ab |
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_mq_certified_container_software | 2.2.1 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.2.1:*:*:*:*:*:*:* |
ibm | ibm_mq_certified_container_software | 2.0.6 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.0.6:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.5%