CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
IBM MQ Operator and Queue manager container images are vulnerable to Golang Go http2 and nghttp2. This bulletin identifies the steps required to address these vulnerabilities
CVEID:CVE-2023-45288
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack in the net/http and x/net/http2 packages. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 10
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286962 for the current score.
CVSS Vector:
CVEID:CVE-2024-28182
**DESCRIPTION:**nghttp2 is vulnerable to a denial of service, caused by a memory exhaustion flaw due to flood of CONTINUATION frames in the HTTP/2 protocol stack. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause excessive CPU usage, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/286963 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator |
**SC2 (formerly LTS):v3.2.0, v3.2.1, v3.2.2
CD: **v3.0.0, v3.0.1, v3.1.0 - 3.1.3
LTS: v2.0.0 - 2.0.24
**Other Release:**v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2
IBM supplied MQ Advanced container images|
**C****D:**9.4.0.0-r1, 9.4.0.0-r2, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2
**LTS:**9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1
**
Other Release: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2
Remediation/Fixes
Issues mentioned by this security bulletin are addressed in -
IBM strongly recommends applying the latest container images.
Note: The above details about the fix for CVE-2024-26906, CVE-2024-26982, CVE-2024-27059, CVE-2024-27052, CVE-2024-27048, CVE-2024-27014 are applicable only for IBM MQ Operator v2.0.25 LTS release.
IBM MQ Operator v3.2.3 CD and SC2 (formerly LTS) release details:
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v3.2.3
|
|
ibm-mqadvanced-server
|
9.4.0.0-r3
|
|
ibm-mqadvanced-server-integration
|
9.4.0.0-r3
|
|
ibm-mqadvanced-server-dev
|
9.4.0.0-r3
|
|
IBM MQ Operator V2.0.25 LTS release details:
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.0.25
|
|
ibm-mqadvanced-server
|
9.3.0.20-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.0.20-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.0.20-r2
|
|
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | ibm_mq_certified_container_software | 3.2.3 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:3.2.3:*:*:*:*:*:*:* |
ibm | ibm_mq_certified_container_software | 2 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2:*:*:*:*:*:*:* |
ibm | ibm_mq_certified_container_software | 2.0.25 | cpe:2.3:a:ibm:ibm_mq_certified_container_software:2.0.25:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High