CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
19.8%
IBM MQ added security fixes around โhandling the crafterd URLโ, โremoved clear text for user credentials in trace optionsโ and "improved buffering logic to avoid DoS attack. The IBM MQ which contains above fixes is shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:CVE-2023-47745
**DESCRIPTION:**IBM MQ Operator 2.0.0 LTS, 2.0.18 LTS, 3.0.0 CD, 3.0.1 CD, 2.4.0 through 2.4.7, 2.3.0 through 2.3.3, 2.2.0 through 2.2.2, and 2.3.0 through 2.3.3 stores or transmits user credentials in plain clear text which can be read by a local user using a trace command. IBM X-Force ID: 272638.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/272638 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-25016
**DESCRIPTION:**IBM MQ and IBM MQ Appliance 9.0, 9.1, 9.2, 9.3 LTS and 9.3 CD could allow a remote unauthenticated attacker to cause a denial of service due to incorrect buffering logic. IBM X-Force ID: 281279.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/281279 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator |
**CD:**v3.0.0, v3โฆ0.1
LTS: v2.0.0 - 2.0.18
**Other Release:**v2.4.0 - v2.4.7, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2, 2.3.0 - 2.3.3
IBM supplied MQ Advanced container images|
**C****D:**9.3.4.0-r1, 9.3.4.1-r1
**
LTS: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1
**
Other Release: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1
Issue mentioned by this security bulletin is addressed in -
IBM strongly recommends applying the latest container images
NOTE:This is the last security fix release for MQ Operator 2.4. As mentioned in the original announcement.
**IBM MQ Operator 3.1.0 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
โ|โ|โ|โ
ibm-mq-operator
|
v3.1.0
|
|
ibm-mqadvanced-server
|
9.3.5.0-r1
|
|
ibm-mqadvanced-server-integration
|
9.3.5.0-r1
|
|
ibm-mqadvanced-server-dev
|
9.3.5.0-r1
|
|
IBM MQ Operator V2.0.19 LTS release details:
Image
|
Fix Version
|
Registry
|
Image Location
โ|โ|โ|โ
ibm-mq-operator
|
v2.0.19
|
|
ibm-mqadvanced-server
|
9.3.0.16-r1
|
|
ibm-mqadvanced-server-integration
|
9.3.0.16-r1
|
|
ibm-mqadvanced-server-dev
|
9.3.0.16-r1
|
|
IBM MQ Operator V2.4.8 CD release details:
Image
|
Fix Version
|
Registry
|
Image Location
โ|โ|โ|โ
ibm-mq-operator
|
v2.4.8
|
|
icr.io/cpopen/ibm-mq-operator@
sha256:1aa75c6dc6ce29f10e088073e1c1d7f4dcd511e601096493378478dbbfbe417b
ibm-mqadvanced-server
|
9.3.3.3-r2
|
|
ibm-mqadvanced-server-integration
|
9.3.3.3-r2
|
|
ibm-mqadvanced-server-dev
|
9.3.3.3-r2
|
|
None
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | mq_certified_container | 3.1.0 | cpe:2.3:a:ibm:mq_certified_container:3.1.0:*:*:*:lts:*:*:* |
ibm | mq_certified_container | 2.0.19 | cpe:2.3:a:ibm:mq_certified_container:2.0.19:*:*:*:lts:*:*:* |
ibm | mq_certified_container | 2.4.8 | cpe:2.3:a:ibm:mq_certified_container:2.4.8:*:*:*:lts:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
19.8%