Security Bulletin: IBM MQ is affected by a vulnerability in Apache Commons Net (CVE-2021-37533)

Summary

IBM MQ Managed File Transfer is affected by a vulnerability in Apache Commons Net.

Vulnerability Details

CVEID:CVE-2021-37533
**DESCRIPTION:**Apache Commons Net could allow a remote attacker to obtain sensitive information, caused by an issue with the FTP client trusting the host from PASV response by default. By persuading a victim to connect to specially-crafted server, an attacker could exploit this vulnerability to obtain information about services running on the private network, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

The following installable MQ components are affected by the vulnerability:

- Managed File Transfer

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was resolved under APAR IT42724.

IBM MQ 9.0 LTS

Apply cumulative security update 9.0.0.14

IBM MQ 9.1 LTS

Apply cumulative security update 9.1.0.13

IBM MQ 9.2 LTS

Apply cumulative security update 9.2.0.8

IBM MQ 9.3 LTS

Apply cumulative security update 9.3.0.3

IBM MQ 9.1 CD, 9.2 CD and 9.3 CD

Upgrade to IBM MQ 9.3.1 and apply cumulative security update 9.3.1.1

Workarounds and Mitigations

None