Lucene search

IBMA869CB1F6E81FA26CDD5BC4373BA51297B459063EB2B467334573FF734F6F83E

HistoryMar 12, 2024 - 12:18 p.m.

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from IBM MQ

2024-03-1212:18:31

www.ibm.com

ibm mq

security fixes

crafted url

clear text

user credentials

trace options

buffering logic

vulnerability

ibm mq operator

mq advanced container images

cve-2023-26159

cve-2023-47745

cve-2024-25016

remote attacker

denial of service

phishing attacks

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.2

Confidence

High

EPSS

0.001

Percentile

19.8%

JSON

Summary

IBM MQ added security fixes around “handling the crafterd URL”, “removed clear text for user credentials in trace options” and "improved buffering logic to avoid DoS attack. The IBM MQ which contains above fixes is shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.

Vulnerability Details

CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2023-47745
**DESCRIPTION:**IBM MQ Operator 2.0.0 LTS, 2.0.18 LTS, 3.0.0 CD, 3.0.1 CD, 2.4.0 through 2.4.7, 2.3.0 through 2.3.3, 2.2.0 through 2.2.2, and 2.3.0 through 2.3.3 stores or transmits user credentials in plain clear text which can be read by a local user using a trace command. IBM X-Force ID: 272638.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272638 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2024-25016
**DESCRIPTION:**IBM MQ and IBM MQ Appliance 9.0, 9.1, 9.2, 9.3 LTS and 9.3 CD could allow a remote unauthenticated attacker to cause a denial of service due to incorrect buffering logic. IBM X-Force ID: 281279.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ Operator

**CD:**v3.0.0, v3…0.1

LTS: v2.0.0 - 2.0.18

**Other Release:**v2.4.0 - v2.4.7, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2, 2.3.0 - 2.3.3
IBM supplied MQ Advanced container images|

**C****D:**9.3.4.0-r1, 9.3.4.1-r1

**
LTS: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1

**
Other Release: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1

Remediation/Fixes

Issue mentioned by this security bulletin is addressed in -

IBM MQ Operator v3.1.0 CD release that included IBM supplied MQ Advanced 9.3.5.0-r1 container image
IBM MQ Operator v2.0.19 LTS release that included IBM supplied MQ Advanced 9.3.0.16-r1 container image
IBM MQ Operator v2.4.8 release that included IBM supplied MQ Advanced 9.3.3.3-r2 container image

IBM strongly recommends applying the latest container images

NOTE:This is the last security fix release for MQ Operator 2.4. As mentioned in the original announcement.

**IBM MQ Operator 3.1.0 CD release details:

Image

Fix Version

Registry

Image Location

—|—|—|—

ibm-mq-operator

v3.1.0

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:9f443da42a0065b75b39be99de8160b1bee400423c857bfd4c4d664c885eccf8

ibm-mqadvanced-server

9.3.5.0-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:076df92951ea6a917b60b7436d92a182b50e2eba28d423a5e5b1d532b25abb05

ibm-mqadvanced-server-integration

9.3.5.0-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:3e74fd9655d1b339414bc1ed62477f74c2f026183b0ca8a8fa7911fe557bf42d

ibm-mqadvanced-server-dev

9.3.5.0-r1

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:5b2dcf4884c23a265c8a5fb98d0e8a4c3b7acf74fa1dae9419f69f74b1d77ccd

IBM MQ Operator V2.0.19 LTS release details:

Image

Fix Version

Registry

Image Location

—|—|—|—

ibm-mq-operator

v2.0.19

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:618963778a52eb778d4e2d4ad9f03f6a5861a5e5cfa7d5ee0b4b39ac52920ce5

ibm-mqadvanced-server

9.3.0.16-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:7f9e6b9955b6bfadc826e0f2bece430cf7a6e480db3f22b89ad8d686bdd48831

ibm-mqadvanced-server-integration

9.3.0.16-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:76cc83e40c964d1429a458c5d3662ea1d4c12e7551f7e298479d6b970effa5fc

ibm-mqadvanced-server-dev

9.3.0.16-r1

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:b23b9fa3d1b024a9ab727ddae9bcc8fb9d0fb6d163acc45caffb2e60a2cbad55

IBM MQ Operator V2.4.8 CD release details:

Image

Fix Version

Registry

Image Location

—|—|—|—

ibm-mq-operator

v2.4.8

icr.io

icr.io/cpopen/ibm-mq-operator@
sha256:1aa75c6dc6ce29f10e088073e1c1d7f4dcd511e601096493378478dbbfbe417b

ibm-mqadvanced-server

9.3.3.3-r2

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:1e84f0909461f917fb37fcba13e1713be8282ec205303b9160e8bc520d74fe33

ibm-mqadvanced-server-integration

9.3.3.3-r2

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:f0e4f37bd229b15b76e611769630b70fd53832eacae66c2cf4ad61b465ba3d16

ibm-mqadvanced-server-dev

9.3.3.3-r2

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:7d5f88046424c21f0137474bb2b6a1b02a219f02e1a9fc20f9f474a7b0f4d44a

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmq_certified_containerMatch3.1.0lts

ibmmq_certified_containerMatch2.0.19lts

ibmmq_certified_containerMatch2.4.8lts

VendorProductVersionCPE
ibmmq_certified_container3.1.0cpe:2.3:a:ibm:mq_certified_container:3.1.0:*:*:*:lts:*:*:*
ibmmq_certified_container2.0.19cpe:2.3:a:ibm:mq_certified_container:2.0.19:*:*:*:lts:*:*:*
ibmmq_certified_container2.4.8cpe:2.3:a:ibm:mq_certified_container:2.4.8:*:*:*:lts:*:*:*

Vendor	Product	Version	CPE
ibm	mq_certified_container	3.1.0	cpe:2.3:a:ibm:mq_certified_container:3.1.0::::lts:::
ibm	mq_certified_container	2.0.19	cpe:2.3:a:ibm:mq_certified_container:2.0.19::::lts:::
ibm	mq_certified_container	2.4.8	cpe:2.3:a:ibm:mq_certified_container:2.4.8::::lts:::