Security Bulletin: IBM MQ Appliance is affected by libxml2 vulnerabilities (CVE-2019-19956, CVE-2019-20388, CVE-2020-7595)

Summary

IBM MQ Appliance has resolved libxml2 vulnerabilities.

Vulnerability Details

CVEID:CVE-2019-19956
**DESCRIPTION:**libxml2 is vulnerable to a denial of service, caused by a memory leak in xmlParseBalancedChunkMemoryRecover in parser.c. By persuading a victim to open a specially crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173518 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2019-20388
**DESCRIPTION:**GNOME libxml2 could allow a remote attacker to obtain sensitive information, caused by an xmlSchemaValidateStream memory leak in xmlSchemaPreRun in xmlschemas.c. By persuading a victim to open a specially crafted file, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175539 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-7595
**DESCRIPTION:**The Gnome Project Libxml2 is vulnerable to a denial of service, caused by an error in xmlStringLenDecodeEntities in parser.c. An attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175333 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

IBM MQ Appliance 9.1 LTS

Apply fixpack 9.1.0.7, or later maintenance.

IBM MQ Appliance 9.1 CD

Upgrade to 9.2.1 CD, or later.

IBM MQ Appliance 9.2 LTS

Apply iFix IT34570, or later maintenance.

Workarounds and Mitigations

None