IBM00962134EB8627619FD8C530336B29E17987EA86FF4187B7AB9B87B47B80A96DSecurity Bulletin: IBM MQ is affected by vulnerabilities in libcURL (CVE-2023-23916, CVE-2023-27535)
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
51.4%
Summary
Multiple issues were identified within the libcurl library that affect IBM MQ. IBM MQ uses libcurl to provide HTTPURL functionality which is only used to download remote CCDT files and is not used to send or receive messages.
Vulnerability Details
CVEID:CVE-2023-23916
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a flaw in the decompression chain implementation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause memory errors, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-27535
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a FTP too eager connection reuse flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to reuse a previously created FTP connection.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ | 9.0 LTS |
| IBM MQ | 9.1 LTS |
| IBM MQ | 9.2 LTS |
| IBM MQ | 9.3 LTS |
| IBM MQ | 9.1 CD |
| IBM MQ | 9.2 CD |
| IBM MQ | 9.3 CD |
The following installable MQ components are affected by the vulnerability:
- Standard Client
- Runtime
If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins>
Remediation/Fixes
This issue was resolved under APAR IT43273
IBM MQ 9.0 LTS
Apply cumulative security update 9.0.0.17
IBM MQ 9.1 LTS
IBM MQ 9.2 LTS
Apply cumulative security update 9.2.0.11
IBM MQ 9.3 LTS
IBM MQ 9.1 CD, 9.2 CD and 9.3 CD
Upgrade to IBM MQ 9.3.2 and apply cumulative security update 9.3.2.1
Workarounds and Mitigations
None
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.002 Low
EPSS
Percentile
51.4%