Security Bulletin: IBM MQ is affected by a vulnerability in Eclipse Jetty (CVE-2024-22201)

Summary

An issue was found in Eclipse Jetty that is shipped with the IBM MQ Explorer.

Vulnerability Details

CVEID:CVE-2024-22201
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by a flaw when an HTTP/2 connection gets TCP congested. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the server to stop accepting new connections from valid clients, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/284253 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

The following installable MQ components are affected by the vulnerability:

- IBM MQ Explorer

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was addressed under APAR IT45816.

IBM MQ version 9.0 LTS

Apply Cumulative Security Update 9.0.0.26

IBM MQ version 9.1 LTS

Apply Cumulative Security Update 9.1.0.22

IBM MQ version 9.2 LTS

Apply Cumulative Security Update 9.2.0.26

IBM MQ version 9.3 CD

Upgrade to IBM MQ Explorer version 9.4

Workarounds and Mitigations

None