Lucene search

K
ibmIBM3617E5DB629BF3E4966913C6CBFB7FB0D83FD9726DE73DD22305E09D36598E97
HistoryJun 22, 2021 - 5:33 p.m.

Security Bulletin: IBM MQ is vulnerable to an issue within OpenSSL (CVE-2021-23840)

2021-06-2217:33:28
www.ibm.com
44
ibm mq
openssl
vulnerability
ibm i
advanced messaging security
fix
apar se74947

EPSS

0.008

Percentile

82.3%

Summary

An issue was identified with OpenSSL which is shipped on IBM MQ for IBM i platforms and used within the Advanced Messaging Security component.

Vulnerability Details

CVEID:CVE-2021-23840
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate. By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196848 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.1 LTS
IBM MQ 9.0 LTS
IBM MQ 8.0
IBM MQ 9.2 LTS

Remediation/Fixes

This issue was addressed under APAR SE74947

IBM MQ Version 8

Apply fix pack 8.0.0.16

IBM MQ Version 9.0

Apply interim fix for SE74947 for 9.0.0.11

IBM MQ Version 9.1 LTS

Apply fix pack 9.1.0.8

IBM MQ Version 9.2 LTS

Apply fix pack 9.2.0.2

Workarounds and Mitigations

None