Edit Content
Report Incident
English
Sinhala
Tamil

ADVISORY!

TLP : CLEAR

Date : 02/08/2024

REF NO : CERT / 2024/08/68

IBM MQ Multiple Vulnerabilities

Severity Level: Medium

Components Affected

IBM MQ Operator:

  • SC2 (formerly LTS): v3.2.0, v3.2.1, v3.2.2
  • CD: v3.0.0, v3.0.1, v3.1.0 – 3.1.3
  • LTS: v2.0.0 – 2.0.24
  • Other Release: v2.4.0 – v2.4.8, v2.3.0 – 2.3.3, v2.2.0 – v2.2.2

IBM supplied MQ Advanced container images:

  • CD: 9.4.0.0-r1, 9.4.0.0-r2, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2
  • LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1
  • Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4,  9.3.0.3-r1,  9.3.0.4-r1, 9.3.0.4-r2,  9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3,  9.3.0.6-r1,  9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2,  9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1,  9.3.3.3-r2

Overview

Multiple vulnerabilities were identified in IBM MQ. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition and security restriction bypass on the targeted system.

Description

Several security vulnerabilities have been identified across various tools and libraries. In runc versions 1.1.11 and earlier, an internal file descriptor leak could allow an attacker to cause a newly-spawned container process to have a working directory in the host filesystem namespace, leading to potential container escapes and host filesystem access. This vulnerability has been patched in runc 1.1.12. Similarly, libxml2 versions before 2.11.7 and 2.12.x before 2.12.5 are vulnerable to a use-after-free issue when processing crafted XML documents with DTD validation and XInclude expansion enabled. In Kerberos 5 (krb5) version 1.21.2, a memory leak vulnerability was discovered in the k5sealv3.c file. Additionally, the jose package, which implements Javascript Object Signing and Encryption standards, was found to be vulnerable to an attack where a JWE containing compressed data could consume excessive memory and CPU resources when decompressed. This issue has been addressed in versions 4.0.1, 3.0.3, and 2.6.3.

Impact

  • Denial of Service
  • Security Restriction Bypass

Solution/ Workarounds

Before installation of the software, please visit the vendor web-site for more details.

Apply fixes issued by the vendor:

Reference

Disclaimer : The information provided herein is on an “as is” basis, without warranty of any kind.

Sri Lanka Computer Emergency Readiness Team | Coordination Centre

Linkedin-in Facebook-f Twitter Youtube

Quick Links

Useful Links

Contact

  • Hotline : 101
  • +94 11 269 1692
  • Room 4-112, BMICH, Bauddhaloka Mawatha, Colombo 07, Sri Lanka.
  • General inquiry: cert@cert.gov.lk
  • Security incidents: incidents@cert.gov.lk
  • Social media incidents: report@cert.gov.lk

Copyright © 2023 SRI LANKA CERT | CC