IBM4CBD7854A4B805AFB7141C834B70D71950B061B39CD9568C6A9B0865C04FECE2Security Bulletin: IBM MQ Internet Pass-Thru traces sensitive data (CVE-2022-35719)
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
5.1%
Summary
An issue was found within IBM MQ Internet Pass-Thru which causes sensitive data to be written to trace files when trace is enabled.
Vulnerability Details
CVEID:CVE-2022-35719
**DESCRIPTION:**IBM MQ Internet Pass-Thru 2.1, 9.2 LTS and 9.2 CD stores potentially sensitive information in trace files that could be read by a local user.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/231370 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Internet Pass-Thru | 2.1 |
| IBM MQ Internet Pass-Thru | 9.2 CD |
| IBM MQ Internet Pass-Thru | 9.2 LTS |
Remediation/Fixes
IBM MQ Internet Pass-Thru 2.1
Note: MQ IPT 2.1.0.6 is provided on Solaris platforms only, for users with appropriate extended support entitlement. Contact IBM support to obtain the installation files for MQIPT 2.1.0.6 on Solaris. Users of MQ IPT 2.1 on all other platforms should migrate to one of the MQ IPT 9.2 levels listed below (or later).
IBM MQ Internet Pass-Thru 9.2 LTS
IBM MQ Internet Pass-Thru 9.2 CD
Workarounds and Mitigations
None
Affected configurations
Related
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
5.1%