Security Bulletin: IBM MQ Appliance is affected by Pacemaker vulnerabilities (CVE-2018-16878, CVE-2018-16877, CVE-2019-3885)

Summary

IBM MQ Appliance has resolved Pacemaker vulnerabilities.

Vulnerability Details

CVEID:CVE-2018-16878
**DESCRIPTION:**Pacemaker is vulnerable to a denial of service, caused by an insufficient verification inflicted preference of uncontrolled processes. A remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159858 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2018-16877
**DESCRIPTION:**Pacemaker could allow a local attacker to gain elevated privileges on the system, caused by a flaw in the authentication in the client server. An attacker could exploit this vulnerability to escalate privileges.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159859 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2019-3885
**DESCRIPTION:**Pacemaker could allow a remote attacker to obtain sensitive information, caused by a use-after-free flaw. A remote attacker could exploit this vulnerability to obtain sensitive information from the system logs.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159857 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

IBM MQ Appliance 9.1 LTS

Apply fixpack 9.1.0.6, or later maintenance

IBM MQ Appliance 9.1 CD

Upgrade to 9.2.1, or later maintenance

Workarounds and Mitigations

Only affects IBM MQ Appliances configured as part of a Highly Available group, where the appliances are not directly connected.