Security Bulletin: IBM MQ is affected by a denial of service vulnerability in OpenSSL (CVE-2023-2650)

Summary

IBM MQ is affected by a denial of service vulnerability in OpenSSL. OpenSSL is used by the IBM MQ Advanced Message Security feature on the IBM i platform.

Vulnerability Details

CVEID:CVE-2023-2650
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/256611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

The following installable MQ components are affected by the vulnerability:

- Advanced Message Security (AMS)

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was resolved under APAR SE80122

IBM MQ 9.0 LTS

Apply Cumulative Security Update 9.0.0.19

IBM MQ 9.1 LTS

Apply Cumulative Security Update 9.1.0.17

IBM MQ 9.2 LTS

Apply Cumulative Security Update 9.2.0.16

IBM MQ 9.3 LTS

Apply Fix Pack 9.3.0.10

Workarounds and Mitigations

None