CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
32.8%
According to its self-reported version, the IBM MQ server installed on the remote host is 8.0.x prior to 8.0.0.13, 9.0.x prior to 9.0.0.8, 9.1.0.x LTS prior to 9.1.0.4 LTS, or 9.1.4 CD and is therefore affected by an unspecified flaw related to channels handling that can allow denial of service.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(132341);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/10/07");
script_cve_id("CVE-2019-4560");
script_bugtraq_id(108068);
script_xref(name:"IAVA", value:"2019-A-0466-S");
script_name(english:"IBM MQ < 8.0.0.13 / 9.0.0.8 LTS / 9.1.0.4 LTS / 9.1.4 CD Channels DoS (CVE-2019-4560)");
script_set_attribute(attribute:"synopsis", value:
"A message queuing service installed on the remote host is affected
by a denial of service vulnerability.");
script_set_attribute(attribute:"description", value:
"According to its self-reported version, the IBM MQ server installed
on the remote host is 8.0.x prior to 8.0.0.13, 9.0.x prior to 9.0.0.8,
9.1.0.x LTS prior to 9.1.0.4 LTS, or 9.1.4 CD and is therefore
affected by an unspecified flaw related to channels handling that can
allow denial of service.");
script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/support/pages/node/1106037");
script_set_attribute(attribute:"see_also", value:"https://exchange.xforce.ibmcloud.com/vulnerabilities/166357");
script_set_attribute(attribute:"solution", value:
"Upgrade to IBM MQ 8.0.0.13, 9.0.0.8 LTS, 9.1.0.4 LTS, or 9.1.4 CD as
per the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-4560");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/09");
script_set_attribute(attribute:"patch_publication_date", value:"2019/12/09");
script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_mq");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("websphere_mq_installed.nasl");
script_require_keys("installed_sw/IBM WebSphere MQ");
exit(0);
}
include('install_func.inc');
app_name = 'IBM WebSphere MQ';
install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);
if (install['Type'] != 'Server') audit(AUDIT_HOST_NOT,'affected');
version = install['version'];
path = install['path'];
fix = NULL;
flag = FALSE;
# 8.0.x < 8.0.0.13
if (version =~ "^8\.0\.0\.")
{
fix = '8.0.0.13';
}
# 9.0.x < 9.0.0.8
else if (version =~ "^9\.0\.0\.")
{
fix = '9.0.0.8';
}
# v9.1.0.0 - 9.1.0.4 (LTS is longer ver)
else if (version =~ "^9\.1\.0\.")
{
fix = '9.1.0.4';
}
# 9.1.x < 9.1.4 (CD is shorter ver)
else if (version =~ "^9\.1\.[0-3]$")
{
fix = '9.1.4';
}
else
audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
if (ver_compare(ver:version, fix:fix, strict:FALSE) == -1)
{
port = get_kb_item('SMB/transport');
if (!port) port = 445;
report =
'\n Path : ' + path +
'\n Installed version : ' + version +
'\n Fixed version : ' + fix +
'\n';
security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);
}
else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
32.8%