IBM08F987F6688BBFB246F8BE61C77B380DBCEA210C38E92ACCE58ABE53A4C88175Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
37.6%
Summary
Multiple issues were identified in Red Hat UBI packages Kubernetes, curl, systemd that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images
Vulnerability Details
CVEID:CVE-2022-43552
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a use-after-free flaw when using an HTTP proxy. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242799 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-4415
**DESCRIPTION:**systemd could allow a local authenticated attacker to obtain sensitive information, caused by not respecting fs.suid_dumpable kernel setting in the systemd-coredump. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242796 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-3172
**DESCRIPTION:**Kubernetes kube-apiserver is vulnerable to server-side request forgery, caused by a flaw with allowing an aggregated API server to redirect client traffic to any URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to unexpected actions and the client’s API server credentials to third parties.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236344 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Operator | CD: v2.3.3 and prior releases |
| LTS: v2.0.11 and prior releases | |
| IBM supplied MQ Advanced container images | CD: 9.3.2.1-r2 and prior releases |
| LTS: 9.3.0.5-r2and prior releases |
Remediation/Fixes
Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.4.0 CD release that included IBM supplied MQ Advanced 9.3.3.0-r1 container image and IBM MQ Operator v2.0.12 LTS release that included IBM supplied MQ Advanced 9.3.0.5-r3 container image.
IBM strongly recommends applying the latest container images.
**IBM MQ Operator 2.4.0 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.4.0
|
|
ibm-mqadvanced-server
|
9.3.3.0-r1
|
|
ibm-mqadvanced-server-integration
|
9.3.3.0-r1
|
|
ibm-mqadvanced-server-dev
|
9.3.3.0-r1
|
|
**IBM MQ Operator V2.0.12 LTS release details: **
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
2.0.12
|
|
ibm-mqadvanced-server
|
9.3.0.5-r3
|
|
ibm-mqadvanced-server-integration
|
9.3.0.5-r3
|
|
ibm-mqadvanced-server-dev
|
9.3.0.5-r3
|
|
Workarounds and Mitigations
Important Note for users of Operations Dashboard on IBM MQ LTS Queue Manager Container Images 9.3.0.x
When Operations Dashboard is enabled, the following IBM MQ LTS Queue Manager Container Images deploy
Operations Dashboard Agent and Collector images that do not contain the latest security fixes available
at the time of their GA.
- 9.3.0.5-r1 (April 2023 GA)
- 9.3.0.5-r2 (May 2023 GA)
IBM MQ LTS Queue Managers Container Images from 9.3.0.5-r3 (June 2023 GA) onwards contain the latest available security fixes.
Mitigation: Upgrade all IBM MQ LTS 9.3.0.x Queue Managers with Operations Dashboard enabled to at least 9.3.0.5-r3.
To complete this upgrade, follow the instructions in Upgrading an IBM MQ queue manager using Red Hat OpenShift.``
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm mq certified container software | eq | 2.4.0 | |
| ibm mq certified container software | eq | 2.0.12 |
Related
8.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.001 Low
EPSS
Percentile
37.6%