5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
18.0%
An issue was identified in Red Hat UBI(ubi8/ubi-minimal) v8.7-x package (tar) that was shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
CVEID:CVE-2022-48303
**DESCRIPTION:**GNU Tar is vulnerable to a heap-based buffer overflow, caused by an out-of-bounds read in the from_header() function in list.c when processing of V7 archive files. By persuading a victim to open a specially-crafted V7 file using whitespace characters in the mtime parameter, a remote attacker could overflow a buffer and execute arbitrary code in the context of the current process.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245770 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | CD: v2.3.0 prior releases |
LTS: v2.0.8 prior releases | |
IBM MQ Operator LTS Release | 9.3.2.0-r1, 9.3.0.4-r1 and prior releases |
Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.3.1 CD release that included IBM supplied MQ Advanced 9.3.2.0-r2 container image and IBM MQ Operator v2.0.9 LTS release that included IBM supplied MQ Advanced 9.3.0.4-r2 container image.
IBM strongly recommends addressing the vulnerability now
**IBM MQ Operator 2.3.1 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.3.1
|
|
ibm-mqadvanced-server
|
9.3.2.0-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.2.0-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.2.0-r2
|
|
icr.io/ibm-messaging/mq@sha256:8568805d9df989d7c78bdf81dea8976913c3e653fabd71d1094a00021548dabe
**IBM MQ Operator V2.0.9 LTS release details: **
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
2.0.9
|
|
ibm-mqadvanced-server
|
9.3.0.4-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.0.4-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.0.4-r2
|
|
icr.io/ibm-messaging/mq@sha256:69fc5b8a2a680043235f4f446f2cef632ef0ec16f7e353bc0f593424ffcd2428
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm mq certified container software | eq | 2.3.1 | |
ibm mq certified container software | eq | 2.0.9 |
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:N/I:N/A:P
0.0005 Low
EPSS
Percentile
18.0%