Security Bulletin: IBM MQ Appliance is affected by an unauthorised access vulnerability (CVE-2019-4621)

2020-01-2315:01:56

www.ibm.com

0.007 Low

EPSS

Percentile

79.6%

JSON

Summary

IBM MQ Appliance has addressed the following unauthorised access vulnerability.

Vulnerability Details

CVEID:CVE-2019-4621
**DESCRIPTION:**IBM DataPower Appliance and IBM MQ Appliance have a default administrator account that is enabled if the IPMI LAN channel is enabled. A remote attacker could use this account to gain unauthorised access to the BMC.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168883 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ Appliance	8.0
IBM MQ Appliance	9.1 LTS
IBM MQ Appliance	9.1 CD

Remediation/Fixes

IBM MQ Appliance 8
Apply fix pack 8.0.0.14, or later.

IBM MQ Appliance version 9.1 LTS

Apply fix pack 9.1.0.4, or later.

IBM MQ Appliance version 9.1 CD

Apply continuous delivery release 9.1.4 , or later.

Workarounds and Mitigations

This issue only affects the IBM MQ Appliance when the IPMI interface is enabled.

CPENameOperatorVersion
ibm mq applianceeq8.0.0.0
ibm mq applianceeq8.0.0.1
ibm mq applianceeq8.0.0.3
ibm mq applianceeq8.0.0.4
ibm mq applianceeq8.0.0.5
ibm mq applianceeq8.0.0.6
ibm mq applianceeq8.0.0.7
ibm mq applianceeq8.0.0.9
ibm mq applianceeq8.0.0.10
ibm mq applianceeq8.0.0.11

Name	Operator	Version
ibm mq appliance	eq	8.0.0.0
ibm mq appliance	eq	8.0.0.1
ibm mq appliance	eq	8.0.0.3
ibm mq appliance	eq	8.0.0.4
ibm mq appliance	eq	8.0.0.5
ibm mq appliance	eq	8.0.0.6
ibm mq appliance	eq	8.0.0.7
ibm mq appliance	eq	8.0.0.9
ibm mq appliance	eq	8.0.0.10
ibm mq appliance	eq	8.0.0.11

Rows per page:

1-10 of 191

0.007 Low

EPSS

Percentile

79.6%

JSON

Related for 15ED62F8443D5BEE39CA1FACC67E8532561450B54EC6691A6B87463AFECB5A5F