9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
79.0%
Multiple issues were identified in Red Hat UBI (ubi8/ubi-minimal) v8.6-x packages Expat, SQlite, libxml2, Libksba, zlib and GnuTLS that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. These vulnerabilities have been addressed.
CVEID:CVE-2022-23990
**DESCRIPTION:**Expat (aka libexpat) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the doProlog function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2020-35525
**DESCRIPTION:**SQlite is vulnerable to a denial of service, caused by a NULL pointer derreference flaw in the INTERSEC query processing. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235225 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2020-35527
**DESCRIPTION:**SQlite could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds memory access flaw through ALTER TABLE for views that have a nested FROM clause… By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/235226 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2016-3709
**DESCRIPTION:**GNOME libxml2 is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the KippoInput.class.php script. A remote attacker could exploit this vulnerability using the $file_link parameter to inject malicious script into a Web page which would be executed in a victim’s Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232446 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N)
CVEID:CVE-2022-40674
**DESCRIPTION:**libexpat could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in the doContent function in xmlparse.c. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/236116 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-3515
**DESCRIPTION:**GnuPG Libksba could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the CRL parser. By sending a specially-crafted data, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/239062 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-37434
**DESCRIPTION:**zlib is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by inflate in inflate.c. By using a large gzip header extra field, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232849 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2022-2509
**DESCRIPTION:**GnuTLS is vulnerable to a denial of service, caused by a double free flaw during the verification of pkcs7 signatures in gnutls_pkcs7_verify function. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232507 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | LTS release 2.0.4 and CD release 2.1 |
IBM supplied MQ Advanced container images | 9.3.0.1-r2 , 9.3.1.0-r1 and prior releases. |
Issues listed by this security bulletin are addressed in IBM MQ Operator 2.2.0 CD release that included IBM supplied MQ Advanced 9.3.1.0-r2 container images and IBM MQ Operator 2.0.5 LTS release that included IBM supplied MQ Advanced 9.3.0.1-r3 container images.
IBM MQ Operator 2.2.0 CD release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.2.0 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:6a8c8be20a4bf86af5956b6398026c5fd383a60451c8a82099d6bca7fc33c577 |
ibm-mqadvanced-server | 9.3.1.0-r2 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:206056d4ee3a069f8bd5d37e5a7330c638c569e0e10fd77c969c54ddb9edbbef |
ibm-mqadvanced-server-integration | 9.3.1.0-r2 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:c80fabcb6946283399d0692045a00ce68390d6aa30a5f7de383438098a02846c |
ibm-mqadvanced-server-dev | 9.3.1.0-r2 | icr.io | icr.io/ibm-messaging/mq@sha256:ca3e4118c147ed30afd3e1c7ae0eacf7dbef3b79717e6a31d4a2c5795b9d60ac |
IBM MQ Operator 2.0.5 LTS release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.0.5 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:c1ae1c30ee06c60c2d82933f7ccfbe7b598eec8bd12f9c9619d6ef761b85c462 |
ibm-mqadvanced-server | 9.3.0.1-r3 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:474a05145d69fbcd948bea2162865aa4c6563de60b1273e43cd988aa8c8f97eb |
ibm-mqadvanced-server-integration | 9.3.0.1-r3 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:dcede4530546017be9066124aa90c702c8ff1616050e9269a643096b4018803f |
ibm-mqadvanced-server-dev | 9.3.0.1-r3 | icr.io | icr.io/ibm-messaging/mq@sha256:e3e1bb84dc8fe7d149aa18723883d542cb0e090e292ecdfc3f250593b41fd94c |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm mq certified container software | eq | 2.2.0 | |
ibm mq certified container software | eq | 2.0.5 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.006 Low
EPSS
Percentile
79.0%