Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMF8ABF803369A2796F1770F54C1BD3B44961B020438E2304C50AAB09059D3D2F4
HistoryMay 25, 2022 - 9:25 a.m.

Security Bulletin: IBM MQ trace can inadvertently trace sensitive data (CVE-2022-22325)

2022-05-2509:25:39
www.ibm.com
20
ibm mq
tracing vulnerability
sensitive data disclosure
cve-2022-22325
ibm x-force
apar it40099
security update
fixpack 9.0.0.13
fixpack 9.1.0.11
ifix for apar it40099
ibm mq 9.2.5 cd

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0

Percentile

5.1%

JSON

Summary

An issue was identified with IBM MQ tracing logic used by queue managers and native (C-based) MQ clients that meant sensitive data could be captured while IBM MQ trace was running. This data would be stored in plaintext within the IBM MQ trace files.

Vulnerability Details

CVEID:CVE-2022-22325
**DESCRIPTION:**IBM MQ (IBM MQ for HPE NonStop 8.1.0) can inadvertently disclose sensitive information under certain circumstances to a local user from a stack trace. IBM X-Force ID: 218853.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/218853 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ 9.1 LTS
IBM MQ 9.0 LTS
IBM MQ 8.0
IBM MQ 9.2 CD
IBM MQ 9.1 CD
IBM MQ 9.2 LTS

Remediation/Fixes

This issue was resolved under APAR IT40099

IBM MQ version 8.0

Apply Cumulative Security Update 2 for IBM MQ Version 8.0.0.16

IBM MQ version 9.0

Apply FixPack 9.0.0.13

IBM MQ version 9.1 LTS

Apply FixPack 9.1.0.11

IBM MQ version 9.2 LTS

Apply iFix for APAR IT40099

IBM MQ version 9.1 CD and version 9.2 CD

Upgrade to IBM MQ 9.2.5 CD

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmmqMatch8.0.0
OR
ibmmqMatch9.0.0
OR
ibmmqMatch9.1.0
OR
ibmmqMatch9.2.0
VendorProductVersionCPE
ibmmq8.0.0cpe:2.3:a:ibm:mq:8.0.0:*:*:*:*:*:*:*
ibmmq9.0.0cpe:2.3:a:ibm:mq:9.0.0:*:*:*:*:*:*:*
ibmmq9.1.0cpe:2.3:a:ibm:mq:9.1.0:*:*:*:*:*:*:*
ibmmq9.2.0cpe:2.3:a:ibm:mq:9.2.0:*:*:*:*:*:*:*

Related

cnvd 1
nessus 1
cvelist 1
prion 1
cve 1
ibm 2
nvd 1
cnvd
cnvd
IBM MQ for HPE NonStop Information Disclosure Vulnerability
2022-05-17 00:00:00
nessus
nessus
IBM MQ 8.0 <= 8.0.0.16 / 9.0 < 9.0.0.13 / 9.1 < 9.1.0.11 LTS / 9.1 < 9.2.5 CD / 9.2 LTS (6587837)
2022-07-11 00:00:00
cvelist
cvelist
CVE-2022-22325
2022-05-13 16:15:18
prion
prion
Information disclosure
2022-05-13 17:15:00
cve
cve
CVE-2022-22325
2022-05-13 17:15:07
ibm
ibm
Security Bulletin: IBM MQ Appliance is affected by sensitive information disclosure vulnerability (CVE-2022-22325)
2022-05-25 09:23:51
Security Bulletin: IBM MQ for HP NonStop Server is affected by vulnerability CVE-2022-22325
2022-05-12 19:54:35
nvd
nvd
CVE-2022-22325
2022-05-13 17:15:07

CVSS2

1.9

Attack Vector

LOCAL

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0

Percentile

5.1%

JSON
Related for F8ABF803369A2796F1770F54C1BD3B44961B020438E2304C50AAB09059D3D2F4
cnvd1nessus1cvelist1prion1cve1ibm2nvd1