Lucene search

K
ibmIBMF1F54750858898975B4280454CBAED5273B291D275B0F25FA7488372B8A83361
HistoryApr 26, 2024 - 7:52 p.m.

Security Bulletin: IBM MQ Advanced Message Security on IBM i platform is affected by multiple issues in OpenSSL (CVE-2023-6237 and CVE-2024-0727)

2024-04-2619:52:43
www.ibm.com
10
ibm mq
advanced message security
ibm i platform
openssl
vulnerabilities
remediation

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.0%

Summary

Multiple issues were identified with OpenSSL, which IBM MQ on the IBM i platform uses within the Advanced Message Security feature to provide cryptographic functionality. It is not used for transport layer security (TLS) functionality for IBM MQ channel connections, which is provided by the IBM i SystemTLS libraries.

Vulnerability Details

CVEID:CVE-2023-6237
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by a flaw in the handling of RSA public keys by the EVP_PKEY_public_check() function. By persuading a victim to sue a specially crafted RSA public keys for verification, a remote attacker could exploit this vulnerability to cause long delays, and results in a denial of service condition.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279450 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

CVEID:CVE-2024-0727
**DESCRIPTION:**OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted PKCS12 file, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base score: 3.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/280532 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.0 LTS
IBM MQ 9.1 LTS
IBM MQ 9.2 LTS
IBM MQ 9.3 LTS

The following installable MQ components are affected by the vulnerability:

- Advanced Message Security (AMS)

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was addressed under APAR SE81096

IBM MQ version 9.0 LTS

Apply Cumulative Security Update 9.0.0.24

IBM MQ version 9.1 LTS

Apply Cumulative Security Update 9.1.0.21

IBM MQ version 9.2 LTS

Apply Fix Pack 9.2.0.25

IBM MQ version 9.3 LTS

Apply Cumulative Security Update 9.3.0.17

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmqMatch9.0
OR
ibmmqMatch9.1
OR
ibmmqMatch9.2
OR
ibmmqMatch9.3
CPENameOperatorVersion
ibm mqeq9.0
ibm mqeq9.1
ibm mqeq9.2
ibm mqeq9.3

5.5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

61.0%