9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.005 Low
EPSS
Percentile
76.5%
Multiple issues were identified in Red Hat UBI(ubi8/ubi-minimal) v8.7-x packages(libxml2, expat, libtasn1 and systemd) that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
CVEID:CVE-2022-40303
**DESCRIPTION:**Gnome libxml2 could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the XML_PARSE_HUGE function. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238602 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2021-46848
**DESCRIPTION:**GNU Libtasn1 could allow a remote attacker to obtain sensitive information, caused by an out-of-bound access flaw in ETYPE_OK. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, or cause a denial of service condition.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240735 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
CVEID:CVE-2022-43680
**DESCRIPTION:**libexpat is vulnerable to a denial of service, caused by a use-after free created by overeager destruction of a shared DTD in XML_ExternalEntityParserCreate in out-of-memory situations. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238951 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-40304
**DESCRIPTION:**Gnome ibxml2 could allow a remote attacker to execute arbitrary code on the system, caused by a dict corruption flaw. By persuading a victim to open a specially-crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238603 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-3821
**DESCRIPTION:**systemd is vulnerable to a denial of service, caused by an off-by-one error in format_timespan() function of time-util.c. By sending specific values for time and accuracy, a local attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241051 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | CD: 2.2.1 and prior releases |
LTS:2.0.6 and prior releases | |
IBM supplied MQ Advanced container images | 9.3.0.1-r4, 9.3.1.0-r3 and prior releases |
Issues listed by this security bulletin are addressed in IBM MQ Operator 2.2.2 CD release that included IBM supplied MQ Advanced 9.3.1.1-r1 container images and IBM MQ Operator 2.0.7 LTS release that included IBM supplied MQ Advanced 9.3.0.3-r1 container images.
IBM MQ Operator 2.2.2 CD release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.2.2 | icr.io | icr.io/cpopen/ibm-mq-operator@a6b37eedc436cf8673e82fd670722f61b375d281d26f38f8539f377a6d5d4abf |
ibm-mqadvanced-server | 9.3.1.1-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:cb51bb5233ec211bbe9b428a6e03e8cb08709f6da578f9c6d017736702bab9d2 |
ibm-mqadvanced-server-integration | 9.3.1.1-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:966d870d250c59aede758f9ec88ff8260642161b342b51c4dd02927919a9eeb0 |
ibm-mqadvanced-server-dev | 9.3.1.1-r1 | icr.io | icr.io/ibm-messaging/mq@sha256:fb4932d61046fc52bd5016e251998c9f2cd522b74b2e144e3aac1556cf50545c |
IBM MQ Operator V2.0.7 LTS release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.0.7 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:a7bc4ec452e76697d347c98421338489431fdca0d7cac2061236ce7b9c8bd366 |
ibm-mqadvanced-server | 9.3.0.3-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:30ac89278c7a13d9066c5be547968f1277ffb42fad28df72aa12736fcf42ea3b |
ibm-mqadvanced-server-integration | 9.3.0.3-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:17b996ef5fd7c32b053744eebfe962513d744d9af81fa5c7c32d4b3827987f09 |
ibm-mqadvanced-server-dev | 9.3.0.3-r1 | icr.io | icr.io/ibm-messaging/mq@sha256:f3e845ba80345249dcb5a8e74e8d15921547e163c36a5275bd835f3c68f350bc |
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm mq certified container software | eq | 2.0.7 | |
ibm mq certified container software | eq | 2.2.2 |
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
0.005 Low
EPSS
Percentile
76.5%