Lucene search

K
ibmIBMF36B2B0C795AAB35C070C1F451EEF4EC2B7111576274E3352545DC96C6338B2A
HistoryNov 15, 2021 - 3:38 p.m.

Security Bulletin: IBM MQ is vulnerable to an issue in Eclipse Jetty (CVE-2021-28165)

2021-11-1515:38:29
www.ibm.com
8

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.965 High

EPSS

Percentile

99.5%

Summary

An issue was identified in Eclipse Jetty that affects IBM MQ. Eclipse Jetty is used within the MQ Explorer, MQ Salesforce Bridge and MQ Blockchain Bridge components.

Vulnerability Details

CVEID:CVE-2021-28165
**DESCRIPTION:**Eclipse Jetty is vulnerable to a denial of service, caused by improper input valistion. By sending a specially-crafted TLS frame, a remote attacker could exploit this vulnerability to cause CPU resources to reach to 100% usage.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/199305 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.2 LTS
IBM MQ 9.2 CD
IBM MQ 9.1 LTS
IBM MQ 9.1 CD
IBM MQ 9.0 LTS

Remediation/Fixes

This issue was resolved under APAR IT37719

IBM MQ version 9.2 LTS

Apply FixPack 9.2.0.3

IBM MQ version 9.1 CD and 9.2 CD

Upgrade to IBM MQ 9.2.3

IBM MQ version 9.1 LTS

Apply FixPack 9.1.0.9

IBM MQ version 9.0 LTS

Apply FixPack 9.0.0.12

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mqeq9.0.0
ibm mqeq9.1.0
ibm mqeq9.2.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.965 High

EPSS

Percentile

99.5%

Related for F36B2B0C795AAB35C070C1F451EEF4EC2B7111576274E3352545DC96C6338B2A