Lucene search

IBMA82B8A2B57B8474204205CD323B19F99099D36F58E09448101BEC3FAFB6AD34D

HistoryJun 27, 2024 - 12:28 a.m.

Security Bulletin: IBM MQ is affected by a vulnerability in the IBM Runtime Environment, Java Technology Edition (CVE-2024-21085)

2024-06-2700:28:32

www.ibm.com

ibm mq

java runtime environment

vulnerability

cve-2024-21085

security update

fix pack 9.4

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

5.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Summary

An issue was identified with IBM Runtime Environment, Java Technology Edition, Version 8 which is shipped with IBM MQ.

Vulnerability Details

CVEID:CVE-2024-21085
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low availability impacts.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/288000 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ	9.0 LTS
IBM MQ	9.1 LTS
IBM MQ	9.2 LTS
IBM MQ	9.3 LTS
IBM MQ	9.3 CD

The following installable MQ components are affected by the vulnerability:

- Java JRE
- Managed File Transfer
- MQ IPT
- IBM MQ Explorer

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins>

Remediation/Fixes

This issue was addressed under APAR IT46155.

IBM MQ version 9.0 LTS

Apply Cumulative Security Update 9.0.0.26

IBM MQ version 9.1 LTS

Apply Cumulative Security Update 9.1.0.22

IBM MQ version 9.2 LTS

Apply Cumulative Security Update 9.2.0.26

IBM MQ version 9.3 LTS

Apply Fix Pack 9.3.0.20

IBM MQ version 9.3 CD

Upgrade to IBM MQ version 9.4

Workarounds and Mitigations

None

Affected configurations

Vulners

Node

ibmmqMatch9.0.0

ibmmqMatch9.1.0

ibmmqMatch9.2.0

ibmmqMatch9.3.0

CPENameOperatorVersion
ibm mqeq9.0.0
ibm mqeq9.1.0
ibm mqeq9.2.0
ibm mqeq9.3.0

Name	Operator	Version
ibm mq	eq	9.0.0
ibm mq	eq	9.1.0
ibm mq	eq	9.2.0
ibm mq	eq	9.3.0

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

5.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

15.7%

JSON

Related for A82B8A2B57B8474204205CD323B19F99099D36F58E09448101BEC3FAFB6AD34D