Lucene search

K
ibmIBMC876F22A143E74E770A654EFD4BEA3438BE9DD6D9FEFDAFD784135FE837FFF0C
HistoryNov 16, 2023 - 4:21 p.m.

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, glibc-minimal-langpack, glibc-common, ncurses-libs and Kubernetes

2023-11-1616:21:31
www.ibm.com
26
ibm mq
red hat ubi
kubernetes
go-toolset
glibc
ncurses-libs
libcurl
denial of service

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.016

Percentile

87.5%

Summary

Multiple issues were identified in Red Hat UBI packages, Kubernetes and go-toolset are fixed and shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.

Vulnerability Details

CVEID:CVE-2023-4813
**DESCRIPTION:**glibc is vulnerable to a denial of service, caused by a use-after-free flaw in the gaih_inet function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/265904 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-29491
**DESCRIPTION:**ncurses is vulnerable to a denial of service, caused by a memory corruption flaw when used by a setuid application. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/253259 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-4806
**DESCRIPTION:**GNU glibc is vulnerable to a denial of service, caused by a use-after-free flaw in the getaddrinfo() function. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266465 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-45177
**DESCRIPTION:**IBM MQ is vulnerable to a denial-of-service attack due to an error within the MQ clustering logic.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268066 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID:CVE-2023-4527
**DESCRIPTION:**glibc is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the getaddrinfo function. By sending a DNS response over TCP larger than 2048 bytes, a remote attacker could overflow a buffer, allowing an attacker to obtain sensitive information or cause a denial of service.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/266261 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H)

CVEID:CVE-2020-8552
**DESCRIPTION:**Kubernetes kube-apiserver is vulnerable to a denial of service, caused by improper input validation. By sending a specially-crafted resource request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/178254 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2023-38545
**DESCRIPTION:**libcurl and cURL are vulnerable to a heap-based buffer overflow, caused by the improper handling of hostnames longer than 255 bytes during a slow SOCKS5 proxy handshake. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2023-38546
**DESCRIPTION:**cURL libcurl could allow a remote attacker to bypass security restrictions, caused by a flaw in the curl_easy_duphandle function if a transfer has cookies enabled when the handle is duplicated. By sending a specially crafted request, an attacker could exploit this vulnerability to insert cookies at will into a running program.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/268046 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2023-4911
**DESCRIPTION:**glibc could allow a local authenticated attacker to gain elevated privileges on the system, caused by a buffer overflow in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. By sending overly long data, an attacker could exploit this vulnerability to gain root privileges on the system.
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/267581 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ Operator

**CD:**v2.4.0 - v2.4.3, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2, 2.3.0 - 2.3.3

LTS: v2.0.0 - 2.0.15

IBM supplied MQ Advanced container images|

CD: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus,
9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3,
9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2

**
LTS: **9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2

Remediation/Fixes

Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.4.4 CD release that included IBM supplied MQ Advanced 9.3.3.2-r1 container image and IBM MQ Operator v2.0.16 LTS release that included IBM supplied MQ Advanced 9.3.0.11-r1 container image. IBM strongly recommends applying the latest container images.

**IBM MQ Operator 2.4.4 CD release details:

**

Image

|

Fix Version

|

Registry

|

Image Location

—|—|—|—

ibm-mq-operator

|

v2.4.4

|

icr.io

|

icr.io/cpopen/ibm-mq-operator@sha256:36738bf988d450df2fd1d3c6c9de025f11c856611000190966b503c26691a5d1

ibm-mqadvanced-server

|

9.3.3.2-r1

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server@sha256:27909609799c4efa83970e3b3b14c6bb27e8dbbea43c3a63c3660061b13f6c0e

ibm-mqadvanced-server-integration

|

9.3.3.2-r1

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:5747d8b94aa31a88986b0892b515b55705b463f92cace55334fb5c8b4b226016

ibm-mqadvanced-server-dev

|

9.3.3.2-r1

|

icr.io

|

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:5bcd6532d5930220910739c509598c2ee14bb2799d61be8de5e197bccf578de4

**IBM MQ Operator V2.0.16 LTS release details: **

Image

|

Fix Version

|

Registry

|

Image Location

—|—|—|—

ibm-mq-operator

|

2.0.16

|

icr.io

|

icr.io/cpopen/ibm-mq-operator@sha256:64f5a2ba8f9109f1c1c46278058d99965dccaa9817aad322f2978f14b362aef8

ibm-mqadvanced-server

|

9.3.0.11-r1

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server@sha256:9df47cc265f68914ae93e69cafb55fbe3ea9d88bf477501386cd9c4de7b2365c

ibm-mqadvanced-server-integration

|

9.3.0.11-r1

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:4dacd1afa0c84cc67e5fa25dbeb513b1fb597eee15f9b2cc3e065e8507955b56

ibm-mqadvanced-server-dev

|

9.3.0.11-r1

|

icr.io

|

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:0b002fabb7c64e54f900de78b81a32baaf0733468f8065adfca939c8b9ebcd8d

Workarounds and Mitigations

IBM MQ Container image 9.3.3.2-r2 has been updated to use libcurl 8.4.0 which remediates CVE-2023-38545 and CVE-2023-38546.

The libcurl library which is packaged with RedHat UBI 8.8 is at version 7.61.1-30.

IBM MQ Container image 9.3.3.2-r2 is in IBM MQ Operator v2.4.5.

Affected configurations

Vulners
Node
ibmibm_mq_certified_container_softwareMatch2.4.3
OR
ibmibm_mq_certified_container_softwareMatch2.0.15

CVSS2

4

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:N/I:N/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.016

Percentile

87.5%