Lucene search

IBM071B491085D9A014CF1C1C69485979A29857B19845123C63B7CECC7C8F55BF12

HistoryFeb 29, 2024 - 9:58 p.m.

Security Bulletin: IBM MQ is vulnerable to issues in Eclipse (CVE-2023-4218, CVE-2023-44487)

2024-02-2921:58:05

www.ibm.com

ibm mq

eclipse

xml xxe

http/2

dos

vulnerability

security bulletin

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.3

Confidence

High

EPSS

0.816

Percentile

98.4%

JSON

Summary

IBM MQ has addressed vulnerabilities in Eclipse, which is used in IBM MQ Explorer.

Vulnerability Details

CVEID:CVE-2023-4218
**DESCRIPTION:**Eclipse IDE could allow a local authenticated attacker to obtain sensitive information, caused by improper handling of XML external entity (XXE) declarations. By persuading a victim to open specially crafted XML content, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271083 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ	9.0 LTS
IBM MQ	9.1 LTS
IBM MQ	9.2 LTS
IBM MQ	9.3 CD

The following installable MQ components are affected by the vulnerability:

- IBM MQ Explorer

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins>

Remediation/Fixes

These issues were addressed under APARs IT45240 and IT45350

IBM MQ version 9.0 LTS

Apply Cumulative Security Update 9.0.0.23

IBM MQ version 9.1 LTS

Apply Fix Pack 9.1.0.20

IBM MQ version 9.2 LTS

Apply Cumulative Security Update 9.2.0.22

IBM MQ version 9.3 CD

Upgrade to IBM MQ version 9.3.5 CD

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmqMatch9.0

ibmmqMatch9.1

ibmmqMatch9.2

ibmmqMatch9.3

VendorProductVersionCPE
ibmmq9.0cpe:2.3:a:ibm:mq:9.0:*:*:*:*:*:*:*
ibmmq9.1cpe:2.3:a:ibm:mq:9.1:*:*:*:*:*:*:*
ibmmq9.2cpe:2.3:a:ibm:mq:9.2:*:*:*:*:*:*:*
ibmmq9.3cpe:2.3:a:ibm:mq:9.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	mq	9.0	cpe:2.3:a:ibm:mq:9.0:::::::*
ibm	mq	9.1	cpe:2.3:a:ibm:mq:9.1:::::::*
ibm	mq	9.2	cpe:2.3:a:ibm:mq:9.2:::::::*
ibm	mq	9.3	cpe:2.3:a:ibm:mq:9.3:::::::*