Security Bulletin: IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages. (CVE-2022-43902)

Summary

An issue was identified within the IBM MQ Server component that would allow an authenticated attacker with sufficient MQ permissions to send MQSC or PCF commands to execute a denial of service attack by sending specially crafted payload.

Vulnerability Details

CVEID:CVE-2022-43902
**DESCRIPTION:**IBM MQ is vulnerable to a denial of service attack caused by specially crafted PCF or MQSC messages.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240832 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

The following installable MQ components are affected by the vulnerability:

• Server

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was resolved under APAR IT42613.

IBM MQ 9.1 LTS

Apply cumulative security update 9.1.0.13

IBM MQ 9.2 LTS

Apply cumulative security update 9.2.0.8

IBM MQ 9.3 LTS

Apply fix pack 9.3.0.2

IBM MQ 9.1 CD, 9.2 CD and 9.3 CD

Upgrade to IBM MQ 9.3.1 and apply cumulative security update 9.3.1.1

Workarounds and Mitigations

None