Lucene search

K
ibmIBMA5482A34C95D889C083B8220907A6F771A27CDE1BE58B9F8007C6235EA459B88
HistoryJul 21, 2021 - 4:33 p.m.

Security Bulletin: IBM MQ is vulnerable to an issue within Pacemaker. (CVE-2020-25654)

2021-07-2116:33:14
www.ibm.com
7

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

52.9%

Summary

An issue was identified with Pacemaker which is used by IBM MQ to supply RDQM functionality.

Vulnerability Details

CVEID:CVE-2020-25654
**DESCRIPTION:**ClusterLabs Pacemaker could allow a local attacker to bypass security restrictions, caused by an access control list bypass flaw. By sending a specially-crafted request using IPC communication with various daemons, an attacker could exploit this vulnerability to perform certain tasks prevented by ACLs.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190582 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.2 CD
IBM MQ 9.2 LTS
IBM MQ 9.1 CD
IBM MQ 9.1 LTS

Remediation/Fixes

This issue is resolved under APAR IT35522.

IBM MQ 9.1 LTS

Apply fix pack 9.1.0.8

IBM MQ 9.2 LTS

Apply fix pack 9.2.0.2

IBM MQ 9.1 CD and 9.2 CD

Upgrade to IBM MQ 9.2.2

Workarounds and Mitigations

Only applicable to IBM MQ installations with an RDQM HA group configured.

CPENameOperatorVersion
ibm mqeq9.1.0
ibm mqeq9.2.0

7.2 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

52.9%

Related for A5482A34C95D889C083B8220907A6F771A27CDE1BE58B9F8007C6235EA459B88