Lucene search

K
ibmIBM274B8DA8E886AD10D2ABC0F17C9502879E32577228D9DECB974BCE12DF093D67
HistoryDec 18, 2020 - 2:05 p.m.

Security Bulletin: IBM MQ is affected by a vulnerability in json-c (CVE-2020-12762)

2020-12-1814:05:07
www.ibm.com
16
ibm mq
json-c vulnerability
remote code execution
integer overflow
out-of-bounds write
cvss 7.8
version 9.1 lts
version 9.2 cd
version 9.2 lts
ifix
apar it33880
fixpack 9.2.0.1
upgrade to ibm mq 9.2.1

EPSS

0.001

Percentile

44.5%

Summary

An applicable vulnerability was found in the json-c library that is bundled with MQ server and native client installations.

Vulnerability Details

CVEID:CVE-2020-12762
**DESCRIPTION:**json-c could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow and out-of-bounds write. By persuading a victim to run a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182094 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.1 LTS
IBM MQ 9.2 CD
IBM MQ 9.2 LTS

Remediation/Fixes

IBM MQ version 9.1 LTS

Apply iFix for APAR IT33880

IBM MQ version 9.2 LTS

Apply Fixpack 9.2.0.1

IBM MQ version 9.2 CD

Upgrade to IBM MQ 9.2.1

Workarounds and Mitigations

None