Security Bulletin: IBM MQ is vulnerable to multiple issues within the IBM® Runtime Environment Java™ Technology Edition, Versions 7 and 8 shipped with IBM MQ (CVE-2021-2432, CVE-2021-2388)

Summary

Multiple issues were identified with IBM® Runtime Environment Java™ Technology Edition, version 7 that is packaged with IBM MQ 8.0 and versions 8 that is packaged with IBM MQ 9.0, 9.1 and 9.2.

Vulnerability Details

CVEID:CVE-2021-2432
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205856 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2021-2388
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow an unauthenticated attacker to take control of the system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/205815 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

This issued was addressed under APAR IT38523.

IBM MQ version 8.0

[Apply the JRE update interim fix APAR IT38524](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+MQ&release=8.0.0.16&platform=All&function=aparId&apars=IT38524&source=fc&gt; "Apply the Version 8.0 cumulative security update “CSU01"” )

IBM MQ version 9.0 LTS

Apply FixPack 9.0.0.12

IBM MQ version 9.1 LTS

Apply FixPack 9.1.0.9

IBM MQ version 9.2 LTS

Apply FixPack 9.2.0.4

IBM MQ 9.1 CD and 9.2 CD

Upgrade to IBM MQ 9.2.4

Workarounds and Mitigations

None