Lucene search

K
ibmIBM4EBCA0D0E1F680855709017D3E70D08142E4BA7CE04D036BAA127F2B19109254
HistorySep 06, 2024 - 9:28 a.m.

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to denial of service, privilege escalation and kerberos 5

2024-09-0609:28:18
www.ibm.com
15
ibm mq
operator
queue manager
container images
vulnerable
denial of service
privilege escalation
kerberos 5
memory allocation
security
restrictions

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

37.7%

Summary

Kerberos 5 and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to denial of service due to improper memory allocation, and privilege escalation which may lead to bypassing security restrictions. This bulletin identifies the steps required to address these vulnerabilities.

Vulnerability Details

**CVEID:**CVE-2024-40681 DESCRIPTION: IBM MQ could allow an authenticated user in a specifically defined role, to bypass security restrictions and execute actions against the queue manager.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297613 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

**CVEID:**CVE-2024-40680 DESCRIPTION: IBM MQ could allow a local user to cause a denial of service due to improper memory allocation causing a segmentation fault.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297611 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-37371 DESCRIPTION: MIT Kerberos 5 (aka krb5) is vulnerable to a denial of service, caused by an invalid memory reads during GSS message token handling. By sending specially crafted message tokens, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296013 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID:**CVE-2024-37370 DESCRIPTION: MIT Kerberos 5 (aka krb5) could allow a remote attacker to bypass security restrictions, caused by improper access control. By sending a specially crafted request to modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, an attacker could exploit this vulnerability to cause the unwrapped token to appear truncated to the application.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/296012 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ Operator SC2 (formerly LTS): v3.2.0 - v3.2.3
CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3 LTS: v2.0.0 - 2.0.25 Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2
IBM supplied MQ Advanced container images CD: 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2

LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2
Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2

Remediation/Fixes

Issues mentioned by this security bulletin are addressed in -

  • IBM MQ Operator v3.2.4 SC2 (formerly LTS) release that included IBM supplied MQ Advanced 9.4.0.5-r1 container image.
  • IBM MQ Operator v2.0.26 LTS release that included IBM supplied MQ Advanced 9.3.0.21-r1 container image.

IBM strongly recommends applying the latest container images.

Note:

  1. The above details about the fix for CVE-2024-37370, CVE-2024-37371 is applicable only for IBM MQ Operator v2.0.26 LTS release.
  2. The above details about the fix for CVE-2024-40680 is applicable only for IBM MQ Operator v3.2.4 SC2 release.

IBM MQ Operator v3.2.4 CD and SC2 (formerly LTS) release details:

Image Fix Version Registry Image Location
ibm-mq-operator v3.2.4 icr.io cp.icr.io/cpopen/ibm-mq-operator@sha256:59fdf04acac4eb2d84e99c831796c63e14ce7ffe92076b8911a798b9da3b5d8a
ibm-mqadvanced-server 9.4.0.5-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:bdf741222bb8d40218ef9f391da4123be4d91dc040092463d44328e7c155fd93
ibm-mqadvanced-server-integration 9.4.0.5-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-serv-integration@sha256:edbce5af3817d17da4e273b334b5f92f0627544b8417fbfef81adc6821af001f
ibm-mqadvanced-server-dev 9.4.0.5-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:16545bba8847bf8417190f1f1386bf1d292637585cf69f145bac10fc0c80559a

IBM MQ Operator V2.0.26 LTS release details:

Image Fix Version Registry Image Location
ibm-mq-operator v2.0.26 icr.io icr.io/cpopen/ibm-mq-operator@sha256:6f08d54dbe7e38ff9767b125787eff120a7ddb38c3acc5f72d739fb23be7c853
ibm-mqadvanced-server 9.3.0.21-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server@sha256:e41f97c23607bfab39e0160e2f1e9927d5f203c4851dee29fb6ee27893f79cdc
ibm-mqadvanced-server-integration 9.3.0.21-r1 cp.icr.io cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:a851f5491d3230b25c8866f8311751fdb29f2ff8ca43e022b7542e0905d29ee9
ibm-mqadvanced-server-dev 9.3.0.21-r1 icr.io icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:26c301ce7036c2b6c20a9ac6cf720170822d558dc76894c5bb6d78ccdb9e53f8

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmq_certified_containerMatch3.2.4lts
OR
ibmmq_certified_containerMatch2.0.26lts
VendorProductVersionCPE
ibmmq_certified_container3.2.4cpe:2.3:a:ibm:mq_certified_container:3.2.4:*:*:*:lts:*:*:*
ibmmq_certified_container2.0.26cpe:2.3:a:ibm:mq_certified_container:2.0.26:*:*:*:lts:*:*:*

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

AI Score

8.1

Confidence

High

EPSS

0.001

Percentile

37.7%