Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from krb5 and e2fsprogs

Summary

Multiple issues were identified in Red Hat UBI (ubi8/ubi-minimal) v8.6-x packages krb5 and e2fsprogs that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images. These vulnerabilities have been addressed and now shipped with Red Hat UBI (ubi8/ubi-minimal) v8.7-x

Vulnerability Details

CVEID:CVE-2022-42898
**DESCRIPTION:**MIT krb5 is vulnerable to a denial of service, caused by an integer overflow in PAC parsing in the krb5_parse_pac() function. By sending a specially-crafted request, a remote authenticated attacker could exploit this vulnerability to cause a KDC or kadmind process to crash.
CVSS Base score: 6.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240238 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L)

CVEID:CVE-2022-1304
**DESCRIPTION:**e2fsprogs could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds read/write vulnerability. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system or cause a segmentation fault.
CVSS Base score: 7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/224602 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H)

Affected Products and Versions

Remediation/Fixes

Issues listed by this security bulletin are addressed in IBM MQ Operator 2.2.1 CD release that included IBM supplied MQ Advanced 9.3.1.0-r3 container images and IBM MQ Operator 2.0.6 LTS release that included IBM supplied MQ Advanced 9.3.0.1-r4 container images.

IBM MQ Operator 2.2.1 CD release details:

IBM MQ Operator 2.0.6 LTS release details:

Workarounds and Mitigations

None