IBMCED6F6901B22AA463D46F1E3474CA370C758AF510760ECB96409A0A2C13F4C9ESecurity Bulletin: IBM MQ Passwords specified by MQ java or JMS applications can appear in WebSphere Application Server trace. (CVE-2017-1284)
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N
Summary
Passwords specified by MQ java or JMS applications can appear in WebSphere Application Server trace when establishing CLIENT transport mode connections.
Vulnerability Details
CVEID: CVE-2017-1284**
DESCRIPTION:** IBM MQ could allow a local user with ability to run or enable trace, to obtain sensitive information from WebSphere Application Server traces including user credentials.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125145 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM MQ V8
IBM MQ 8.0.0.0 - 8.0.0.6 maintenance levels
IBM MQ V9
IBM MQ 9.0.0.0 - 9.0.0.1 maintenance levels
IBM MQ V9 CD
- IBM MQ 9.0.1 - 9.0.2 levels.
Remediation/Fixes
IBM MQ V8
IBM MQ V9
IBM MQ V9 CD
Workarounds and Mitigations
None.
Related
4.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
1.9 Low
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:M/Au:N/C:P/I:N/A:N