Security Bulletin: IBM MQ could allow an authenticated user to insert messages with malformed data into the channel, which would cause it to restart. (CVE-2017-1433)

Summary

Malformed header data in an MQ message could trigger a server-connection channel process to terminate, which might deny service to other connected clients using the same channel process.

Vulnerability Details

CVEID: CVE-2017-1433**
DESCRIPTION:** IBM MQ could allow an authenticated user to insert messages with a corrupt header into the channel, which would cause it to restart.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127803 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM MQ V7.5

• Maintenance levels 7.5.0.0 - 7.5.0.8

IBM MQ V8.0

• Maintenance levels 8.0.0.0 - 8.0.0.7

IBM MQ V9 LTS

• Maintenance levels 9.0.0.0 - 9.0.0.1

Remediation/Fixes

IBM MQ V7.5

• Apply interim fix for APAR IT15943

IBM MQ V8.0

• Apply Fix Pack 8.0.0.8

IBM MQ V9 LTS

• Apply Fix Pack 9.0.0.2

Workarounds and Mitigations

None