Security Bulletin: IBM MQ and IBM MQ Appliance command server is vulnerable to a denial of service attack caused by specially crafted PCF messages (CVE-2019-4378)

Summary

An error was found within the IBM MQ and IBM MQ Appliance Command Server PCF logic that means an attacker can cause a denial of service attack by sending a specially crafted PCF message. Doing so will cause the Command Server to crash, which will prevent further administrative commands from being executed against queue managers.

Vulnerability Details

CVEID: CVE-2019-4378 DESCRIPTION: IBM MQ command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162084&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM WebSphere MQ V7.1

versions 7.1.0.0 - 7.1.0.9

IBM WepSphere MQ V7.5

versions 7.5.0.0 - 7.5.0.9

IBM MQ and IBM MQ Appliance V8

versions 8.0.0.0 - 8.0.0.12

IBM MQ V9.0LTS

versions 9.0.0.0 - 9.0.0.6

IBM MQ and IBM MQ Appliance V9.1 LTS

versions 9.1.0.0 - 9.1.0.2

IBM MQ and IBM MQ Appliance V9.1 CD

versions 9.1.0 - 9.1.2

Remediation/Fixes

IBM WebSphere MQ V7.1

Contact IBM Support requesting a fix for APAR IT29141

IBM WepSphere MQ V7.5

Contact IBM Support requesting a fix for APAR IT29141

IBM MQ and IBM MQ Appliance V8

Apply Fixpack 8.0.0.13

IBM MQ V9.0LTS

Apply Fixpack 9.0.0.7

IBM MQ and IBM MQ Appliance V9.1 LTS

Apply Fixpack 9.1.0.3

IBM MQ and IBM MQ Appliance V9.1 CD

Upgrade to IBM MQ 9.1.3

Workarounds and Mitigations

None