Lucene search

IBM54A4079BB501594F7B14779526A0EA86C6EF9B159A381DA7CD00237EA925DBA1

HistoryDec 15, 2023 - 7:45 a.m.

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from shadow-utils, procps-ng, containerd, urllib3, nghttp2 and Golang

2023-12-1507:45:06

www.ibm.com

ibm mq operator

queue manager

ubi packages

ose

shadow-utils

procps-ng

containerd

urllib3

nghttp2

golang

9.1 High

AI Score

Confidence

High

0.72 High

EPSS

Percentile

98.1%

JSON

Summary

Multiple issues were identified in Red Hat UBI packages, go-toolset and OSE are fixed and shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.

Vulnerability Details

CVEID:CVE-2023-25153
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a memory exhaustion flaw when importing an OCI image. By using a specially-crafted image with a large file, a local attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247777 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-4641
**DESCRIPTION:**shadow-maint shadow-utils could allow a local authenticated attacker to obtain sensitive information, caused by failing to clean the buffer used to store password information. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain password information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271763 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2023-39325
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268645 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-29409
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw. By persuading a victim to use a specially crafted certificate with large RSA keys, an remote attacker could exploit this vulnerability to cause a client/server to expend significant CPU time verifying signatures, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262400 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-25173
**DESCRIPTION:**containerd could allow a local authenticated attacker to bypass security restrictions, caused by improper setup for supplementary groups inside a container. By sending a specially-crafted request using supplementary group access, an attacker could exploit this vulnerability to bypass primary group restrictions.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247778 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:CVE-2023-43804
**DESCRIPTION:**urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw with cookie request header not stripped during cross-origin redirects. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268192 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:CVE-2023-39319
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265942 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2023-4016
**DESCRIPTION:**procps-ng procps is vulnerable to a denial of service, caused by a heap based buffer overflow when running the “ps” utility. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262340 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-31030
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request using the ExecSync API, a local authenticated attacker could exploit this vulnerability to cause containerd to consume all available memory on the computer, and results in a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/228282 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-39318
**DESCRIPTION:**Golang Go is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the html/template package. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265941 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2022-23471
**DESCRIPTION:**containerd is vulnerable to a denial of service, caused by a flaw in the CRI implementation. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to exhaust memory on the host, and results in a denial of service condition.
CVSS Base score: 5.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-3978
**DESCRIPTION:**Golang html package is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2022-41723
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw in the HPACK decoder. By sending a specially-crafted HTTP/2 stream, a remote attacker could exploit this vulnerability to cause excessive CPU consumption, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247965 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-44487
**DESCRIPTION:**Multiple vendors are vulnerable to a denial of service, caused by a flaw in handling multiplexed streams in the HTTP/2 protocol. By sending numerous HTTP/2 requests and RST_STREAM frames over multiple streams, a remote attacker could exploit this vulnerability to cause a denial of service due to server resource consumption.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2022-41717
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by a flaw when handling HTTP/2 requests in the Go server. By sending a specially-crafted keys, a remote attacker could exploit this vulnerability to cause excessive memory growth, and results in a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/241875 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

**IBM X-Force ID:**PSIRT-ADV0039388
**DESCRIPTION:**Created from Advisory: ADV0039388
CVSS Base score: 6.2
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ Operator

**CD:**v2.4.0 - v2.4.5, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2, 2.3.0 - 2.3.3

LTS: v2.0.0 - 2.0.16

IBM supplied MQ Advanced container images|

CD: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus,
9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3,
9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2

**
LTS: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1

Remediation/Fixes

Issue mentioned by this security bulletin is addressed in -

IBM MQ Operator v3.0.0 CD release that included IBM supplied MQ Advanced 9.3.4.0-r1 container image
IBM MQ Operator v2.0.17 LTS release that included IBM supplied MQ Advanced 9.3.0.11-r2 container image
IBM MQ Operator v2.4.6 release that included IBM supplied MQ Advanced 9.3.3.2-r3 container image

IBM strongly recommends applying the latest container images.

**IBM MQ Operator 3.0.0 CD release details:

Image

Fix Version

Registry

Image Location

—|—|—|—

ibm-mq-operator

v3.0.0

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:773803d12474068d4a16cb08c414bc33861446aea1da4a565a5239348d29b9c5

ibm-mqadvanced-server

9.3.4.0-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:808c640ff87614c59443bc8c04d6b80379605cf8993e24a295a416d001e1469a

ibm-mqadvanced-server-integration

9.3.4.0-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:0f391e76ff45072bdf967a7a3d3cf2b89a0af082fb69c88a9f928bf343080112

ibm-mqadvanced-server-dev

9.3.4.0-r1

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:ef0085444d50b6823c2e431874cc7dc6a00f78189a83fef6d8ab08f295fbf80e

**IBM MQ Operator V2.0.17 LTS release details: **

Image

Fix Version

Registry

Image Location

—|—|—|—

ibm-mq-operator

2.0.17

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:816ffdd6561d1d0980ae060cb05fbbf2fddbfc260a356296622ed195bde49057

ibm-mqadvanced-server

9.3.0.11-r2

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:0df7026432485d145b964420bbb9f6ca8b6543f8ac0961d2d6a089764564690b

ibm-mqadvanced-server-integration

9.3.0.11-r2

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:67ea0ea415ec5d405a531cad6ccedf97147b3dc66cf91d8562c05d8fab34e11d

ibm-mqadvanced-server-dev

9.3.0.11-r2

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:ea24b093dd3ed13c5690844cd8d4d2b9c9aaac9712335901698da76b1d24ae48

**IBM MQ Operator V2.4.6 CD release details: **

Image

Fix Version

Registry

Image Location

—|—|—|—

ibm-mq-operator

v2.4.6

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:3665768acd0b2b9246c327bce3c96bb92dd96899bcff0653bea51a8020e29d63

ibm-mqadvanced-server

9.3.3.2-r3

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:3a96a90ba0769a01873582ecbb47aa82ab6c2f54259b719b80d325af734563eb

ibm-mqadvanced-server-integration

9.3.3.2-r3

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:71b8b0d872813291af6de1ad23b057947c0bb3da481531775887673a18d71598

ibm-mqadvanced-server-dev

9.3.3.2-r3** **

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:56c4fae30eea3fd15b9d750e27f705da620ef975e20f79641002bfb48295d3ae

Workarounds and Mitigations

None

CPE configuration

Vulners

ibmmq_certified_containerMatch3.0.0

ibmmq_certified_containerMatch2.0.17

CPENameOperatorVersion
ibm mq certified container softwareeq3.0.0
ibm mq certified container softwareeq2.0.17

CPE	Name	Operator	Version
	ibm mq certified container software	eq	3.0.0
	ibm mq certified container software	eq	2.0.17

9.1 High

AI Score

Confidence

High

0.72 High

EPSS

Percentile

98.1%

JSON

Related for 54A4079BB501594F7B14779526A0EA86C6EF9B159A381DA7CD00237EA925DBA1