8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.6%
Multiple issues were identified in Red Hat UBI(ubi8/ubi-minimal) v8.6-x packages containerd, gnupg2, runc and IBM WebSphere Application Server Liberty that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
CVEID:CVE-2022-23648
**DESCRIPTION:**containerd could allow a remote attacker to obtain sensitive information, caused by a flaw in the CRI implementation. By using a specially-crafted image configuration, an attacker could exploit this vulnerability to access to read-only copies of arbitrary files and directories on the host system, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/220823 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-34903
**DESCRIPTION:**GnuPG could allow a remote attacker to conduct spoofing attacks, caused by a flaw when processing secret-key information from keyring. By sending a specially-crafted request to perform injection into the status line, an attacker could exploit this vulnerability to perform signature spoofing.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/230354 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID:CVE-2019-16884
**DESCRIPTION:**runc could allow a local attacker to bypass security restrictions, caused by a flaw in the libcontainer/rootfs_linux.go. By using a malicious volume, an attacker could exploit this vulnerability to bypass AppArmor restriction.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/167792 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2022-22476
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 22.0.0.7 and Open Liberty are vulnerable to identity spoofing by an authenticated user using a specially crafted request. IBM X-Force ID: 225604.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/225604 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2021-30465
**DESCRIPTION:**Open Container Initiative runc could allow a remote authenticated attacker to bypass security restrictions, caused by a symlink exchange attack. By sending a specially-crafted request, an attacker could exploit this vulnerability to allow host filesystem being bind-mounted into the container.
CVSS Base score: 7.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/202132 for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM MQ Operator | 2.0.3 and prior releases |
IBM supplied MQ Advanced container images
| 9.3.0.1-r1 and prior releases
Issues listed by this security bulletin are addressed in IBM MQ Operator 2.1.0 CD release that included IBM supplied MQ Advanced 9.3.1.0 container images and IBM MQ Operator 2.0.4 LTS release that included IBM supplied MQ Advanced 9.3.0.1 container images.
IBM MQ Operator 2.1.0 CD release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.1.0 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:8cab17d56f7f2e1cc1f29df3ff97a6d6bc6c0d415f5c307910082913e83d7b9c |
ibm-mqadvanced-server | 9.3.1.0-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:f97c43c14ea818f6f026e36b1852b9c26efc3fe99e9f993598c6d49df80febf0 |
ibm-mqadvanced-server-integration | 9.3.1.0-r1 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:1c4c8f62e189afd6e0cd5734f4967201c8be4f73e54fbd2f755df9a6633bfd43 |
ibm-mqadvanced-server-dev | 9.3.1.0-r1 | icr.io | icr.io/ibm-messaging/mq@sha256:bc826f8c18c59743367bf96f059d9feb09d21d02c4077363e5687fd77ed737b8 |
IBM MQ Operator 2.0.4 LTS release details:
Image | Fix Version | Registry | Image Location |
---|---|---|---|
ibm-mq-operator | 2.0.4 | icr.io | icr.io/cpopen/ibm-mq-operator@sha256:284280d9ae439fea0d4f835efcab4f0fbe975b9f58f131e1d767974cb968417c |
ibm-mqadvanced-server | 9.3.0.1-r2 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server@sha256:5f52957765fb9110a0e6251df5f919c21bf6bb7427f1cb80744cb3c0e8dd7996 |
ibm-mqadvanced-server-integration | 9.3.0.1-r2 | cp.icr.io | cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:3d395ec538a4674073b7bfb63030e2b668f76eb9372168d9dd1810c7071e6530 |
ibm-mqadvanced-server-dev | 9.3.0.1-r2 | icr.io | icr.io/ibm-messaging/mq@sha256:cd2801a9740468690b0f0787703b5be347f6a83ce281a79f2e42e3a3b99da8f7 |
None
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.6%