Lucene search

K
ibmIBMEC24DB6644C2E428B0C4C12DCA485C84E63D048A8E4B39F889DF81B205269B1B
HistoryNov 21, 2019 - 2:23 p.m.

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in IBM Java Runtime

2019-11-2114:23:34
www.ibm.com
5

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

Summary

There are multiple vulnerabilities in IBM Runtime Environment Java Version 7 and 8 used by IBM MQ. IBM MQ have addressed the applicable CVEs. These issues were disclosed as part of the IBM Java SDK updates in July 2019.

Vulnerability Details

CVEID: CVE-2019-2816 DESCRIPTION: An unspecified vulnerability related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2019-2762 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163826 for the current score

CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-2769 DESCRIPTION: An unspecified vulnerability related to the Java SE Utilities component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-4473 DESCRIPTION: Multiple binaries in IBM SDK, Java Technology Edition on the AIX platform use insecure absolute RPATHs, which may facilitate code injection and privilege elevation by local users.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-11771 DESCRIPTION: Eclipse OpenJ9 could allow a local attacker to gain elevated privileges on the system, caused by the inclusion of unused RPATHS in AIX builds. An attacker could exploit this vulnerability to inject code and gain elevated privileges on the system.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/163989 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.0 LTS
IBM MQ 9.0 CD
IBM MQ 8.0

Remediation/Fixes

IBM MQ 9.1 Long Term Support (LTS)
Apply APAR IT30207

IBM MQ 9.1 Continuous Delivery Release (CDR)
Apply APAR IT30207

IBM MQ 9.0.0.x Long Term Support (LTS)
Apply Fix Pack v9.0.0.8

IBM MQ V8.0
Apply Fix Pack v8.0.0.13

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mqeq8.0
ibm mqeq9.0
ibm mqeq9.1

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

Related for EC24DB6644C2E428B0C4C12DCA485C84E63D048A8E4B39F889DF81B205269B1B