Lucene search

IBMEFEAEDF3F7211F26F5D882AACD34265DE8842B14B16608BC89EE1B81C1F3BF3E

HistoryMar 01, 2023 - 4:33 p.m.

Security Bulletin: IBM MQ Blockchain bridge is vulnerable to multiple issues within protobuf-java-core (CVE-2022-3510, CVE-2022-3509)

2023-03-0116:33:38

www.ibm.com

ibm

blockchain

denial of service

vulnerability

protobuf-java-core

cve-2022-3510

cve-2022-3509

fix

upgrade

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

33.6%

JSON

Summary

Multiple issues were identified within protobuf-java-core which is used by fabric gateway which is used by IBM MQ Blockchain bridge to provide Blockchain functionality to IBM MQ.

Vulnerability Details

CVEID:CVE-2022-3510
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for Message-Type Extensions. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239916 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-3509
**DESCRIPTION:**protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239915 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ	9.2 LTS
IBM MQ	9.3 LTS
IBM MQ	9.2 CD
IBM MQ	9.3 CD

The following installable MQ components are affected by the vulnerability:

- IBM MQ Bridge to Blockchain

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins>

Remediation/Fixes

This issue was resolved under APAR 42343.

IBM MQ Version 9.2 LTS

Apply fix pack 9.2.0.7

IBM MQ Version 9.3 LTS

Apply fix pack 9.3.0.2

IBM MQ 9.2 and 9.3 CD

Upgrade to IBM MQ version 9.3.2

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmqMatch9.2.0

ibmmqMatch9.3.0

CPENameOperatorVersion
ibm mqeq9.2.0
ibm mqeq9.3.0

CPE	Name	Operator	Version
	ibm mq	eq	9.2.0
	ibm mq	eq	9.3.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

33.6%

JSON

Related for EFEAEDF3F7211F26F5D882AACD34265DE8842B14B16608BC89EE1B81C1F3BF3E