Lucene search

IBMB726DA65AF39A1A1E1DA1277B41BA5F24059CF3104DDD574B17677672DDE6237

HistoryFeb 20, 2019 - 4:35 p.m.

Security Bulletin: IBM MQ Appliance is affected by krb5 vulnerabilities (CVE-2018-5730 and CVE-2018-5729)

2019-02-2016:35:01

www.ibm.com

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

Summary

IBM MQ Appliance has addressed the following krb5 vulnerabilities.

Vulnerability Details

CVEID: CVE-2018-5730
**DESCRIPTION:*MIT krb5 could allow a remote authenticated attacker to bypass security restrictions, caused by a flaw in the LDAP Kerberos database. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass DN container check.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139970> for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2018-5729
**DESCRIPTION:**MIT krb5 is vulnerable to a denial of service, caused by a NULL pointer dereference in the LDAP Kerberos database. By sending specially-crafted data, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/139969>

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

IBM MQ Appliance 9.1 Long Term Support (LTS) Release
Maintenance level 9.1.0.0 and 9.1.0.1

IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release
Continuous delivery update 9.1.1

Remediation/Fixes

IBM MQ Appliance 9.1 Long Term Support (LTS) Release
Apply iFix IT27359 , or later.

IBM MQ Appliance 9.1.x Continuous Delivery (CD) Release
Apply iFix IT27359 , or later.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mq applianceeq9.1.0
ibm mq applianceeq9.1.0.1
ibm mq applianceeq9.1.1

Name	Operator	Version
ibm mq appliance	eq	9.1.0
ibm mq appliance	eq	9.1.0.1
ibm mq appliance	eq	9.1.1

4.7 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

JSON

Related for B726DA65AF39A1A1E1DA1277B41BA5F24059CF3104DDD574B17677672DDE6237