Security Bulletin: IBM MQ is vulnerable to an issue in libqb (CVE-2023-39976)

Summary

IBM MQ has addressed a vulnerability in libqb, which is only applicable when the RDQM package is installed and configured as part of an HA group on RHEL 9.

Vulnerability Details

CVEID:CVE-2023-39976
**DESCRIPTION:**ClusterLabs libqb is vulnerable to a buffer overflow, caused by improper bounds checking by the qb_vsnprintf_serialize function in log_blackbox.c. By sending a specially crafted request, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

The following installable MQ components are affected by the vulnerability:

- RDQM (replicated data queue manager)

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was addressed under APAR IT45274

IBM MQ version 9.2 LTS

Apply Cumulative Security Update 9.2.0.22

IBM MQ version 9.3 LTS

Apply Cumulative Security Update 9.3.0.16

IBM MQ version 9.3 CD

Upgrade to IBM MQ version 9.3.5 CD

Workarounds and Mitigations

None