Security Bulletin: Insufficient authorization check in IBM supplied MQ Advanced for Integration container image (CVE-2023-26284)

Summary

When using the IBM Supplied MQ Advanced for Integration container image(ibm-mqadvanced-server-integration), all users authenticated with the cluster are granted administration access to the MQ Console, without checking IAM access rights. The MQ Console log will report following error - CWWKF0042E: A feature definition cannot be found for the bells-1.0 feature. Try running the command, bin/installUtility install bells-1.0, to install the feature.

Vulnerability Details

CVEID:CVE-2023-26284
**DESCRIPTION:**IBM MQ Certified Container could allow authenticated users with the cluster to be granted administration access to the MQ console due to improper access controls.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/248417 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Supplied MQ Advanced Queue Manager Container images( ibm-mqadvanced-server-integration)

| 9.3.0.1-r1 till 9.3.0.1-r4(including), 9.3.0.3-r1, 9.3.1.0-r1 till v9.3.1.0-r3(including) and 9.3.1.1-r1

Remediation/Fixes

Issues listed by this security bulletin are addressed in IBM supplied MQ Advanced 9.3.2.0 container image for CD release and IBM supplied MQ Advanced 9.3.0.4 container image for LTS release.

IBM supplied MQ Advanced 9.3.2.0 container image for CD release:

IBM supplied MQ Advanced 9.3.0.4 container image for LTS release:

Workarounds and Mitigations

None