Security Bulletin: A vulnerability in GNU Tar affects IBM MQ Operator and Queue manager container images (CVE-2022-48303)

Summary

An issue was identified in Red Hat UBI(ubi8/ubi-minimal) v8.7-x package (tar) that was shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.

Vulnerability Details

CVEID:CVE-2022-48303
**DESCRIPTION:**GNU Tar is vulnerable to a heap-based buffer overflow, caused by an out-of-bounds read in the from_header() function in list.c when processing of V7 archive files. By persuading a victim to open a specially-crafted V7 file using whitespace characters in the mtime parameter, a remote attacker could overflow a buffer and execute arbitrary code in the context of the current process.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/245770 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ Operator	CD: v2.3.0 prior releases
LTS: v2.0.8 prior releases
IBM MQ Operator LTS Release	9.3.2.0-r1, 9.3.0.4-r1 and prior releases

Remediation/Fixes

Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.3.1 CD release that included IBM supplied MQ Advanced 9.3.2.0-r2 container image and IBM MQ Operator v2.0.9 LTS release that included IBM supplied MQ Advanced 9.3.0.4-r2 container image.

IBM strongly recommends addressing the vulnerability now

**IBM MQ Operator 2.3.1 CD release details:

**

Image

|

Fix Version

|

Registry

|

Image Location

—|—|—|—

ibm-mq-operator

|

v2.3.1

|

icr.io

|

icr.io/cpopen/ibm-mq-operator@sha256:ba532143eea1ff0b69259804d1e03cb47da9421e65af2231ac457b46001c59d5

ibm-mqadvanced-server

|

9.3.2.0-r2

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server@sha256:b483c891a8b9cbf1111a000d67eff6c6885e3895b8b3bc8fbcface511244b24f

ibm-mqadvanced-server-integration

|

9.3.2.0-r2

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:715a98b1dcc886a5f57dbc6ce3f60dcd8b49308d2023583ad30cced2b19b3983

ibm-mqadvanced-server-dev

|

9.3.2.0-r2

|

icr.io

|

icr.io/ibm-messaging/mq@sha256:8568805d9df989d7c78bdf81dea8976913c3e653fabd71d1094a00021548dabe

**IBM MQ Operator V2.0.9 LTS release details: **

Image

|

Fix Version

|

Registry

|

Image Location

—|—|—|—

ibm-mq-operator

|

2.0.9

|

icr.io

|

icr.io/cpopen/ibm-mq-operator@sha256:495c209ca4a8bbe3c84b21ba5229e5d6a0e14a9d898f258f19cb5204bbc31b35

ibm-mqadvanced-server

|

9.3.0.4-r2

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server@sha256:1dd48c13a2afe7036a615b34bd7c89237660722f2fa304fed4fdeb9c6e49be52

ibm-mqadvanced-server-integration

|

9.3.0.4-r2

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:09bd7a2466ba9d68989c6549bce94bf3cb9037791cc250a29a8b3b556ce92e70

ibm-mqadvanced-server-dev

|

9.3.0.4-r2

|

icr.io

|

icr.io/ibm-messaging/mq@sha256:69fc5b8a2a680043235f4f446f2cef632ef0ec16f7e353bc0f593424ffcd2428

---

---

Workarounds and Mitigations

None