Lucene search

IBM59676B587915DA38DBC28F553B21C44247E6C322244BEA729303B9DB0BB09F30

HistorySep 01, 2023 - 4:02 p.m.

Security Bulletin: IBM MQ Explorer is affected by vulnerabilities in Eclipse Jetty (CVE-2023-26048, CVE-2023-26049)

2023-09-0116:02:29

www.ibm.com

ibm mq

explorer

eclipse jetty

vulnerabilities

cve-2023-26048

cve-2023-26049

denial of service

sensitive information

security update

fix pack

upgrade

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

61.4%

JSON

Summary

IBM MQ is affected by vulnerabilites in Eclipse Jetty. This is used in the IBM MQ Explorer.

Vulnerability Details

CVEID:CVE-2023-26048
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by an out of memory flaw in the HttpServletRequest.getParameter() or HttpServletRequest.getParts() function. By sending a specially crafted multipart request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253356 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-26049
**DESCRIPTION:**Eclipse Jetty could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw during nonstandard cookie parsing. By sending a specially crafted request to tamper with the cookie parsing mechanism, an attacker could exploit this vulnerability to obtain values from other cookies, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253355 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ	9.0 LTS
IBM MQ	9.1 LTS
IBM MQ	9.2 LTS
IBM MQ	9.3 CD

The following installable MQ components are affected by the vulnerability:

- IBM MQ Explorer

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins>

Remediation/Fixes

This issue was resolved under APAR IT43737.

IBM MQ 9.0 LTS

Apply Cumulative Security Update 9.0.0.19

IBM MQ 9.1 LTS

Apply Cumulative Security Update 9.1.0.17

IBM MQ 9.2 LTS

Apply FixPack 9.2.0.15

IBM MQ 9.3 CD

Upgrade to IBM MQ 9.3.3

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmqMatch9.0

ibmmqMatch9.1

ibmmqMatch9.2

ibmmqMatch9.3

CPENameOperatorVersion
ibm mqeq9.0
ibm mqeq9.1
ibm mqeq9.2
ibm mqeq9.3

Name	Operator	Version
ibm mq	eq	9.0
ibm mq	eq	9.1
ibm mq	eq	9.2
ibm mq	eq	9.3

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.002 Low

EPSS

Percentile

61.4%

JSON

Related for 59676B587915DA38DBC28F553B21C44247E6C322244BEA729303B9DB0BB09F30