IBMA45019922BC1C4127812E6B0394D71098046E7EF0D23DA6ED192C8F3E783449ASecurity Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from curl, go and apr-util
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
75.8%
Summary
Multiple issues were identified in Red Hat UBI packages curl, go and apar-util that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
Vulnerability Details
CVEID:CVE-2023-27535
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a FTP too eager connection reuse flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to reuse a previously created FTP connection.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2022-25147
**DESCRIPTION:**Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_base64 functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-2879
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by the failure to set a limit on the maximum size of file headers by Reader.Read. By using a specially crafted archive, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-21698
**DESCRIPTION:**Prometheus Go client library (client_golang ) is vulnerable to a denial of service, caused by a flaw when handling requests with non-standard HTTP methods. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a memory exhaustion.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219707 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-35252
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a flaw when cookies contain control codes are later sent back to an HTTP(S) server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a “sister site” to deny service to siblings.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234980 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Operator | CD: v2.3.2 and prior releases |
| LTS: v2.0.10 and prior releases | |
| IBM supplied MQ Advanced container images | CD: 9.3.2.1-r1 and prior releases |
| LTS: 9.3.0.5-r1 and prior releases |
Remediation/Fixes
Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.3.3 CD release that included IBM supplied MQ Advanced 9.3.2.1-r2 container image and IBM MQ Operator v2.0.11 LTS release that included IBM supplied MQ Advanced 9.3.0.5-r2 container image.
IBM strongly recommends addressing the vulnerability now
**IBM MQ Operator 2.3.3 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.3.3
|
|
icr.io/cpopen/ibm-mq-operatorsha256:f93a56a993ca6e1cd78b19b16031ee88594863c566521da732a885b64277d069
ibm-mqadvanced-server
|
9.3.2.1-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.2.1-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.2.1-r2
|
|
icr.io/ibm-messaging/mq@sha256:937b4b860da8d2021adf14b65eb2ebef8f6b1bc811518f3bd20a9386730016e0
**IBM MQ Operator V2.0.11 LTS release details: **
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
2.0.11
|
|
ibm-mqadvanced-server
|
9.3.0.5-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.0.5-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.0.5-r2
|
|
icr.io/ibm-messaging/mq@sha256:d5abb9ecd9d10d76583163a97b235befea502ef0df0cbf9d315c4c397ee9100e
Workarounds and Mitigations
Important Note for users of Operations Dashboard on IBM MQ LTS Queue Manager Container 9.3.0.5-r2 Image
When Operations Dashboard is enabled, IBM MQ LTS Queue Manager Container Images 9.3.0.5-r2 deploy Operations Dashboard
Agent and Collector images that do not contain the latest security fixes available at the time of their GA.
Mitigation: Upgrade all IBM MQ LTS Queue Manager Container 9.3.0.5-r2 images with Operations Dashboard enabled to at least 9.3.0.5-r3.
To complete this upgrade, follow the instructions in Upgrading an IBM MQ queue manager using Red Hat OpenShift.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm mq certified container software | eq | 2.3.3 | |
| ibm mq certified container software | eq | 2.0.11 |
Related
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.005 Low
EPSS
Percentile
75.8%