CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
77.9%
Multiple issues were identified in Red Hat UBI packages curl, go and apar-util that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
CVEID:CVE-2023-27535
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a FTP too eager connection reuse flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to reuse a previously created FTP connection.
CVSS Base score: 9.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/250530 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
CVEID:CVE-2022-25147
**DESCRIPTION:**Apache Portable Runtime (APR) could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the apr_base64 functions. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246064 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2022-2879
**DESCRIPTION:**Golang Go is vulnerable to a denial of service, caused by the failure to set a limit on the maximum size of file headers by Reader.Read. By using a specially crafted archive, a remote attacker could exploit this vulnerability to exhaust all available memory resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/240560 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-21698
**DESCRIPTION:**Prometheus Go client library (client_golang ) is vulnerable to a denial of service, caused by a flaw when handling requests with non-standard HTTP methods. By sending specially-crafted HTTP requests, a remote attacker could exploit this vulnerability to cause a memory exhaustion.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219707 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-35252
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a flaw when cookies contain control codes are later sent back to an HTTP(S) server. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a “sister site” to deny service to siblings.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/234980 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | CD: v2.3.2 and prior releases |
LTS: v2.0.10 and prior releases | |
IBM supplied MQ Advanced container images | CD: 9.3.2.1-r1 and prior releases |
LTS: 9.3.0.5-r1 and prior releases |
Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.3.3 CD release that included IBM supplied MQ Advanced 9.3.2.1-r2 container image and IBM MQ Operator v2.0.11 LTS release that included IBM supplied MQ Advanced 9.3.0.5-r2 container image.
IBM strongly recommends addressing the vulnerability now
**IBM MQ Operator 2.3.3 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.3.3
|
|
icr.io/cpopen/ibm-mq-operatorsha256:f93a56a993ca6e1cd78b19b16031ee88594863c566521da732a885b64277d069
ibm-mqadvanced-server
|
9.3.2.1-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.2.1-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.2.1-r2
|
|
icr.io/ibm-messaging/mq@sha256:937b4b860da8d2021adf14b65eb2ebef8f6b1bc811518f3bd20a9386730016e0
**IBM MQ Operator V2.0.11 LTS release details: **
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
2.0.11
|
|
ibm-mqadvanced-server
|
9.3.0.5-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.0.5-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.0.5-r2
|
|
icr.io/ibm-messaging/mq@sha256:d5abb9ecd9d10d76583163a97b235befea502ef0df0cbf9d315c4c397ee9100e
Important Note for users of Operations Dashboard on IBM MQ LTS Queue Manager Container 9.3.0.5-r2 Image
When Operations Dashboard is enabled, IBM MQ LTS Queue Manager Container Images 9.3.0.5-r2 deploy Operations Dashboard
Agent and Collector images that do not contain the latest security fixes available at the time of their GA.
Mitigation: Upgrade all IBM MQ LTS Queue Manager Container 9.3.0.5-r2 images with Operations Dashboard enabled to at least 9.3.0.5-r3.
To complete this upgrade, follow the instructions in Upgrading an IBM MQ queue manager using Red Hat OpenShift.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
77.9%