IBM6C6A3C6B795A603C834E8DA2921C510B84359C23DEC7FF04586A77C7C3B95AEESecurity Bulletin: App Connect Enterprise Certified Container Integration Servers could allow information exposure when using MQ (CVE-2020-4498)
0.0004 Low
EPSS
Percentile
5.1%
Summary
App Connect Enterprise Certified Container Integration Servers could allow a local privileged user to obtain highly sensitive information due to inclusion of data within trace files when communicating with an MQ server due to CVE-2020-4498.
Vulnerability Details
CVEID:CVE-2020-4498
**DESCRIPTION:**IBM MQ Appliance 9.1 LTS and 9.1 CD could allow a local privileged user to obtain highly sensitve information due to inclusion of data within trace files. IBM X-Force ID: 182118.
CVSS Base score: 4.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182118 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| App Connect Enterprise Certified Container | 1.0.0 with Operator |
| App Connect Enterprise Certified Container | 1.0.1 with Operator |
| App Connect Enterprise Certified Container | 1.0.2 with Operator |
| App Connect Enterprise Certified Container | 1.0.3 with Operator |
| App Connect Enterprise Certified Container | 1.0.4 with Operator |
| App Connect Enterprise Certified Container | 1.0.5 with Operator |
Remediation/Fixes
Upgrade to App Connect Enterprise Certified Container to Operator version 1.1.0 (available in CASE 1.1.0) or higher, and ensure that any Integration Server components are upgraded to 11.0.0.10-r3 or higher
Workarounds and Mitigations
This is only applicable if an Integration Server container is attempting to collect MQ trace.
Related
0.0004 Low
EPSS
Percentile
5.1%