IBMB3091C425C6428EC9CB9E9D0E151BE9B12F22ACFA0E98B5F68DB7F6110E7A0D7Security Bulletin: IBM MQ could leak sensitive information due to an error within the pre-v7 queue manager pubsub logic (CVE-2020-4319)
EPSS
Percentile
10.3%
Summary
IBM MQ could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error within the pre-v7 queue manager pubsub logic
Vulnerability Details
CVEID:CVE-2020-4319
**DESCRIPTION:**IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 LTS, and 9.1 CD could allow under special circumstances, an authenticated user to obtain sensitive information due to a data leak from an error within the pre-v7 queue manager pubsub logic. IBM X-Force ID: 177402.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177402 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ | 9.1 CD |
| IBM MQ | 9.1 LTS |
| IBM MQ | 9.0 LTS |
| IBM MQ | 8.0 |
| IBM WebSphere MQ | 7.5 |
| IBM WebSphere MQ | 7.1 |
Remediation/Fixes
IBM WebSphere MQ 7.1
Contact IBM Support and request a Fix for APAR IT31787
IBM WebSphere MQ 7.5
Contact IBM Support and request a Fix for APAR IT31787
IBM MQ 8.0
IBM MQ 9.0 LTS
Apply Interim Fix for APAR IT31787
IBM MQ 9.1 LTS
IBM MQ 9.1 CD
Workarounds and Mitigations
Disable fastpath bindings for SVRCONN channel instances, for example by setting MQIBindType=STANDARD under the Channel stanza of the Queue Manager ini file.
Additionally, ensure that untrusted applications that attach locally to the queue manager do not use MQCNO_FASTPATH_BINDING.
Related
EPSS
Percentile
10.3%