Security Bulletin: Password disclosure via trace log vulnerability in IBM MQ Managed File Transfer (CVE-2017-1795)

2018-10-1505:10:02

www.ibm.com

0.0004 Low

EPSS

Percentile

5.1%

JSON

Summary

Trace files generated by IBM MQ Managed File Transfer commands display passwords in plain text.

Vulnerability Details

CVEID: CVE-2017-1795 DESCRIPTION: IBM MQ Managed File Transfer could allow a local user to obtain highly sensitive information via trace log files generated by its commands.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137042> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM WebSphere MQ Managed File Transfer v7.5.0.0 through v7.5.0.8

IBM MQ Managed File Transfer v8.0.0.0 through v8.0.0.8

IBM MQ Managed File Transfer v9.0.0.0 through v9.0.0.2 (LTS Release)

IBM MQ Managed File Transfer v9.0.1, v9.0.2, v9.0.3 and v9.0.4 (CD Release)

Remediation/Fixes

IBM WebSphere MQ Managed File Transfer v7.5.0.0 through v7.5.0.8

Apply fix 7.5.0.9

IBM MQ Managed File Transfer v8.0.0.0 through v8.0.0.8

Apply fix pack 8.0.0.9

IBM MQ Managed File Transfer v9.0.0.0 through v9.0.0.2 (LTS release)

Apply fix pack 9.0.0.3

IBM MQ Managed File Transfer v9.0.1 CD, v9.0.2 CD, v9.0.3 CD and v9.0.4 CD

Apply IBM MQ Managed File Transfer v9.0.5 CD release

Workarounds and Mitigations

None

CPENameOperatorVersion
websphere mqeq9.0.4
websphere mqeq9.0.3
websphere mqeq9.0.2
websphere mqeq9.0.1
websphere mqeq9.0
websphere mqeq8.0
websphere mqeq7.5