IBM MQ could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error within the pre-v7 queue manager pubsub logic
CVEID:CVE-2020-4319
**DESCRIPTION:**IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 LTS, and 9.1 CD could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error within the pre-v7 queue manager pubsub logic. IBM X-Force ID: 177402.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177402 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM MQ | 9.1 CD |
IBM MQ | 9.1 LTS |
IBM MQ | 9.0 LTS |
IBM MQ | 8.0 |
IBM WebSphere MQ | 7.5 |
IBM WebSphere MQ | 7.1 |
IBM WebSphere MQ 7.1
Contact IBM Support and request a Fix for APAR IT31787
IBM WebSphere MQ 7.5
Contact IBM Support and request a Fix for APAR IT31787
IBM MQ 8.0
IBM MQ 9.0 LTS
Apply Interim Fix for APAR IT31787
IBM MQ 9.1 LTS
IBM MQ 9.1 CD
Disable fastpath bindings for SVRCONN channel instances, for example by setting MQIBindType=STANDARD under the Channel stanza of the Queue Manager ini file.
Additionally, ensure that untrusted applications that attach locally to the queue manager do not use MQCNO_FASTPATH_BINDING.