Lucene search

K
ibmIBMFC4A1A82625FE57D2FF248767B620FAE3653912EC4150E7443CF0423A27DEBE7
HistorySep 05, 2024 - 9:23 p.m.

Security Bulletin: IBM MQ Appliance is vulnerable to exposure of sensitive information (CVE-2023-5981 and CVE-2024-0533)

2024-09-0521:23:09
www.ibm.com
14
ibm mq appliance
gnutls
sensitive information
exposure
vulnerabilities
gnu gnutls
timing sidechannel
rsa-psk
key exchange
remote attacker
cvss base score
cvss temporal score
cvss vector
version 9.3 lts
version 9.3 cd
version 9.4 lts
apar it46613
fix pack
firmware
workarounds
mitigations
high availability group

CVSS2

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

0.002

Percentile

62.0%

Summary

IBM MQ Appliance has addressed GNU GnuTLS exposure of sensitive information vulnerabilities.

Vulnerability Details

**CVEID:**CVE-2023-5981 DESCRIPTION: GNU GnuTLS could allow a remote attacker to obtain sensitive information, caused by a timing sidechannel issue during RSA-PSK key exchange. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271914 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

**CVEID:**CVE-2024-0553 DESCRIPTION: GnuTLS could allow a remote attacker to obtain sensitive information. By perform a timing side-channel attack in the RSA-PSK key exchange, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279606 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM MQ Appliance 9.3 LTS
IBM MQ Appliance 9.3 CD
IBM MQ Appliance 9.4 LTS

Remediation/Fixes

This vulnerability is addressed under APAR IT46613

IBM strongly recommends addressing the vulnerability now.

IBM MQ Appliance version 9.3 LTS

Apply IBM MQ Appliance fix pack 9.3.0.21, or later firmware.

IBM MQ Appliance version 9.3 CD

Upgrade to IBM MQ Appliance fix pack 9.4.0.5, or later firmware.

IBM MQ Appliance version 9.4 LTS

Apply IBM MQ Appliance fix pack 9.4.0.5, or later firmware.

Workarounds and Mitigations

Only applicable to IBM MQ Appliances configured in a High Availability group.

Affected configurations

Vulners
Node
ibmmq_applianceMatch9.3.0.0
OR
ibmmq_applianceMatch9.3.0.
OR
ibmmq_applianceMatch9.3.0.1
OR
ibmmq_applianceMatch9.3.0.2
OR
ibmmq_applianceMatch9.3.0.3
OR
ibmmq_applianceMatch9.3.0.4
OR
ibmmq_applianceMatch9.3.0.5
OR
ibmmq_applianceMatch9.3.0.6
OR
ibmmq_applianceMatch9.3.0.10
OR
ibmmq_applianceMatch9.3.0.11
OR
ibmmq_applianceMatch9.3.0.15
OR
ibmmq_applianceMatch9.3.0.16
OR
ibmmq_applianceMatch9.3.0.17
OR
ibmmq_applianceMatch9.3.0.20
OR
ibmmq_applianceMatch9.3.1.0
OR
ibmmq_applianceMatch9.3.1.1
OR
ibmmq_applianceMatch9.3.2.0
OR
ibmmq_applianceMatch9.3.2.1
OR
ibmmq_applianceMatch9.3.3.0
OR
ibmmq_applianceMatch9.3.3.1
OR
ibmmq_applianceMatch9.3.4.0
OR
ibmmq_applianceMatch9.3.4.1
OR
ibmmq_applianceMatch9.3.5.0
OR
ibmmq_applianceMatch9.3.5.1
OR
ibmmq_applianceMatch9.3.5.2
OR
ibmmq_applianceMatch9.4.0.0
VendorProductVersionCPE
ibmmq_appliance9.3.0.0cpe:2.3:a:ibm:mq_appliance:9.3.0.0:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.cpe:2.3:a:ibm:mq_appliance:9.3.0.:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.1cpe:2.3:a:ibm:mq_appliance:9.3.0.1:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.2cpe:2.3:a:ibm:mq_appliance:9.3.0.2:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.3cpe:2.3:a:ibm:mq_appliance:9.3.0.3:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.4cpe:2.3:a:ibm:mq_appliance:9.3.0.4:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.5cpe:2.3:a:ibm:mq_appliance:9.3.0.5:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.6cpe:2.3:a:ibm:mq_appliance:9.3.0.6:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.10cpe:2.3:a:ibm:mq_appliance:9.3.0.10:*:*:*:*:*:*:*
ibmmq_appliance9.3.0.11cpe:2.3:a:ibm:mq_appliance:9.3.0.11:*:*:*:*:*:*:*
Rows per page:
1-10 of 261

CVSS2

8.3

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

MULTIPLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:M/C:C/I:C/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.6

Confidence

High

EPSS

0.002

Percentile

62.0%