Security Bulletin: App Connect Enterprise Certified Container Integration Servers could cause a Denial of Service or a buffer overflow when using MQ

Summary

App Connect Enterprise Certified Container Integration Servers could cause a Denial of Service or a buffer overflow when communicating with an MQ server due to CVE-2020-4375 and CVE-2020-4465.

Vulnerability Details

CVEID:CVE-2020-4375
**DESCRIPTION:**IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. IBM X-Force ID: 179080.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179080 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2020-4465
**DESCRIPTION:**IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code. A remote attacker could overflow the buffer using an older client and cause a denial of service. IBM X-Force ID: 181562.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181562 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Remediation/Fixes

Upgrade to App Connect Enterprise Certified Container to Operator version 1.1.0 (available in CASE 1.1.0) or higher, and ensure that any Integration Server components are upgraded to 11.0.0.10-r3 or higher

Workarounds and Mitigations

None