Lucene search

IBM28574095C7FB6AC27B6A95A11B485AA5D3AFD06F45C89C07E7267FAF829E9E3F

HistoryFeb 17, 2023 - 11:44 a.m.

Security Bulletin: IBM MQ Operator and Queue Manager container images are vulnerable to vulnerabilities from libksba and sqlite (CVE-2022-47629 and CVE-2022-35737)

2023-02-1711:44:52

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.0%

JSON

Summary

Issues were identified in Red Hat UBI packages libksba and sqlite that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.

Vulnerability Details

CVEID:CVE-2022-47629
**DESCRIPTION:**Libksba could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the CRL signature parser. An attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service.
CVSS Base score: 7.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/242850 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2022-35737
**DESCRIPTION:**SQLite is vulnerable to a denial of service, caused by an array-bounds overflow. By sending C API with specially-crafted string argument, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/232832 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ Operator	CD: 2.2.2 and prior releases
LTS:2.0.7 and prior releases
IBM supplied MQ Advanced container images	9.3.1.1-r1, 9.3.0.3-r1 and prior releases

Remediation/Fixes

Issues listed by this security bulletin are addressed in IBM MQ Operator 2.3.0 CD release that included IBM supplied MQ Advanced 9.3.2.0-r1 container images and IBM MQ Operator 2.0.8 LTS release that included IBM supplied MQ Advanced 9.3.0.4-r1 container images.

IBM MQ Operator 2.3.0 CD release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	2.3.0	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:66d75b33c95d7e70a5e85622ebe61e4429a8a6511bac3f14f96d04c71cea79c7
ibm-mqadvanced-server	9.3.2.0-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:ee03e66d7bd05969c86bfd20a580bf179486552b478a68379787ea7dc4b107a5
ibm-mqadvanced-server-integration	9.3.2.0-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:872859970008904bd4918edec8e4449fa8c0ad2dce2a261c2d0ac0ffcf0deeb8
ibm-mqadvanced-server-dev	9.3.2.0-r1	icr.io	icr.io/ibm-messaging/mq@sha256:1495dc1c5af33829a69da82e56cf4d057177780177eb18d32d6e30c73218719c

IBM MQ Operator 2.0.8 LTS release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	2.0.8	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:ed3f5f1e3f14fde5796c48e72fd6576e182831b70c1a7218661e4cc02a419573
ibm-mqadvanced-server	9.3.0.4-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:65ce0bea1d22faaee92d815229c4b010b239078a4fa37c96573f485350f41064
ibm-mqadvanced-server-integration	9.3.0.4-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:1ec485ddb8782303cf978c79b8d45ba130bcd00ba523ff83ef4b55342b3dedb0
ibm-mqadvanced-server-dev	9.3.0.4-r1	icr.io	icr.io/ibm-messaging/mq@sha256:83dd2715f462c9da6f0160b109f82b2bd29e7f175624b2dec40086fde384f571

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mq certified container softwareeq2.3.0
ibm mq certified container softwareeq2.0.8

CPE	Name	Operator	Version
	ibm mq certified container software	eq	2.3.0
	ibm mq certified container software	eq	2.0.8

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

65.0%

JSON

Related for 28574095C7FB6AC27B6A95A11B485AA5D3AFD06F45C89C07E7267FAF829E9E3F