IBMDC148DFF8F4F5A603E125159387DDB74B130ECA96CD5DB991E8DFDB9CB8F33B2Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from libcurl, openssl, gnutls, libarchive and libsepol
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.021 Low
EPSS
Percentile
88.9%
Summary
Multiple issues were identified in Red Hat UBI packages libcurl, openssl, gnutls, libarchive and libsepol that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images.
Vulnerability Details
CVEID:CVE-2023-0286
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a type confusion error related to X.400 address processing inside an X.509 GeneralName. By passing arbitrary pointers to a memcmp call, a remote attacker could exploit this vulnerability to read memory contents or cause a denial of service.
CVSS Base score: 8.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246611 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
CVEID:CVE-2023-23914
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the HSTS function when multiple URLs are requested serially. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247433 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-23915
**DESCRIPTION:**cURL libcurl could allow a remote attacker to obtain sensitive information, caused by a flaw in the HSTS function when multiple URLs are requested in parallel. By sniffing the network traffic, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247436 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-23916
**DESCRIPTION:**cURL libcurl is vulnerable to a denial of service, caused by a flaw in the decompression chain implementation. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause memory errors, and results in a denial of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247437 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-40897
**DESCRIPTION:**Pypa Setuptools is vulnerable to a denial of service, caused by improper input validation. By sending request with a specially crafted regular expression, an remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243028 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-0361
**DESCRIPTION:**GnuTLS could allow a remote attacker to obtain sensitive information, caused by a timing side-channel flaw in the handling of RSA ClientKeyExchange messages. By recovering the secret from the ClientKeyExchange message, an attacker could exploit this vulnerability to decrypt the application data exchanged over that connection, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/247680 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2017-14166
**DESCRIPTION:**libarchive is vulnerable to a denial of service, caused by a xml_data heap-based buffer over-read issue in the atol8 function in archive_read_support_format_xar.c. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 5.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/131555 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
CVEID:CVE-2022-4304
**DESCRIPTION:**OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for decryption, an attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246612 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2022-4450
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEM_read_bio_ex() function. By sending specially crafted PEM files for parsing, a remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID:CVE-2023-0215
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a use-after-free error related to the incorrect handling of streaming ASN.1 data by the BIO_new_NDEF function. A remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/246614 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
**IBM X-Force ID:**221405
**DESCRIPTION:**SELinux Project SELinux Userspace is vulnerable to a denial of service, caused by a toHeap-use-after-free flaw in the cil_reset_classperms_set function in libsepol/cil/src/cil_reset_ast.c. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a denial of service condition or obtain sensitive information.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/221405 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|
IBM MQ Operator
|
CD: v2.3.1 and prior releases
LTS: v2.0.9 and prior releases
IBM supplied MQ Advanced container images
|
9.3.2.0-r2, 9.3.0.4-r2 and prior releases
Remediation/Fixes
Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.3.2 CD release that included IBM supplied MQ Advanced 9.3.2.1-r1 container image and IBM MQ Operator v2.0.10 LTS release that included IBM supplied MQ Advanced 9.3.0.5-r1 container image.
IBM strongly recommends addressing the vulnerability now
**IBM MQ Operator 2.3.2 CD release details:
**
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
v2.3.2
|
|
ibm-mqadvanced-server
|
9.3.2.1-r1
|
|
ibm-mqadvanced-server-integration
|
9.3.2.1-r1
|
|
ibm-mqadvanced-server-dev
|
9.3.2.1-r1
|
|
icr.io/ibm-messaging/mq@sha256:c43cd3ba98e61dd421465d32afa3b8be4c177c851dc78eaf6681174988ca1d2d
**IBM MQ Operator V2.0.10 LTS release details: **
Image
|
Fix Version
|
Registry
|
Image Location
—|—|—|—
ibm-mq-operator
|
2.0.10
|
|
ibm-mqadvanced-server
|
9.3.0.5-r1
|
|
ibm-mqadvanced-server-integration
|
9.3.0.5-r1
|
|
ibm-mqadvanced-server-dev
|
9.3.0.5-r1
|
|
icr.io/ibm-messaging/mq@sha256:327de72c56b374aae387631858d561c71d75bb46c510037d25ecaf97dc45b252
Workarounds and Mitigations
Important Note for users of Operations Dashboard on IBM MQ LTS Queue Manager Container 9.3.0.5-r1 Image
When Operations Dashboard is enabled, IBM MQ LTS Queue Manager Container Images 9.3.0.5-r1 deploy Operations Dashboard
Agent and Collector images that do not contain the latest security fixes available at the time of their GA.
Mitigation: Upgrade all IBM MQ LTS Queue Manager Container 9.3.0.5-r1 images with Operations Dashboard enabled to at least 9.3.0.5-r3.
To complete this upgrade, follow the instructions in Upgrading an IBM MQ queue manager using Red Hat OpenShift.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm mq certified container software | eq | 2.3.2 | |
| ibm mq certified container software | eq | 2.0.10 |
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.021 Low
EPSS
Percentile
88.9%