Lucene search

IBM7AAAC72FE597506BDE2660E488F1C4716EB1897CE774DC380DED82B46A52016A

HistoryOct 11, 2023 - 5:44 p.m.

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 8

2023-10-1117:44:19

www.ibm.com

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

52.3%

JSON

Summary

Multiple vulnerabilities were found with IBM® Runtime Environment Java™ Technology Edition, Version 8 which is shipped with IBM MQ (CVE-2022-21624, CVE-2022-21626)

Vulnerability Details

CVEID:CVE-2022-21626
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238689 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2022-21624
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to update, insert or delete data resulting in a low integrity impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/238699 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ	9.0 LTS
IBM MQ	9.1 LTS
IBM MQ	9.2 LTS
IBM MQ	9.3 LTS
IBM MQ	9.1 CD
IBM MQ	9.2 CD
IBM MQ	9.3 CD

The following installable MQ components are affected by the vulnerability:

• Java JRE

• IBM MQ Explorer

• Managed File Transfer

• MQ IPT

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins>

Remediation/Fixes

These issues were resolved under APAR IT42457 and APAR IT43613

IBM MQ version 9.0 LTS for Windows, Linux, AIX, Solaris

Apply CSU 9.0.0.14

IBM MQ version 9.0 LTS for HP

Apply CSU 9.0.0.17

IBM MQ version 9.1 LTS

Apply CSU 9.1.0.13

IBM MQ version 9.2 LTS

Apply FixPack 9.2.0.7

IBM MQ version 9.3 LTS

Apply FixPack 9.3.0.2

IBM MQ version 9.1, 9.2 & 9.3 CD

Upgrade to IBM MQ 9.3.0 and apply CSU 9.3.1.1

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mqeq9.0.0
ibm mqeq9.1.0
ibm mqeq9.2.0
ibm mqeq9.3.0

Name	Operator	Version
ibm mq	eq	9.0.0
ibm mq	eq	9.1.0
ibm mq	eq	9.2.0
ibm mq	eq	9.3.0

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.002 Low

EPSS

Percentile

52.3%

JSON

Related for 7AAAC72FE597506BDE2660E488F1C4716EB1897CE774DC380DED82B46A52016A