IBMFC4A1A82625FE57D2FF248767B620FAE3653912EC4150E7443CF0423A27DEBE7Security Bulletin: IBM MQ Appliance is vulnerable to exposure of sensitive information (CVE-2023-5981 and CVE-2024-0533)
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:M/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
62.0%
Summary
IBM MQ Appliance has addressed GNU GnuTLS exposure of sensitive information vulnerabilities.
Vulnerability Details
CVEID:CVE-2023-5981
**DESCRIPTION:**GNU GnuTLS could allow a remote attacker to obtain sensitive information, caused by a timing sidechannel issue during RSA-PSK key exchange. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/271914 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2024-0553
**DESCRIPTION:**GnuTLS could allow a remote attacker to obtain sensitive information. By perform a timing side-channel attack in the RSA-PSK key exchange, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/279606 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM MQ Appliance | 9.3 LTS |
| IBM MQ Appliance | 9.3 CD |
| IBM MQ Appliance | 9.4 LTS |
Remediation/Fixes
This vulnerability is addressed under APAR IT46613
IBM strongly recommends addressing the vulnerability now.
IBM MQ Appliance version 9.3 LTS
Apply IBM MQ Appliance fix pack 9.3.0.21, or later firmware.
IBM MQ Appliance version 9.3 CD
Upgrade to IBM MQ Appliance fix pack 9.4.0.5, or later firmware.
IBM MQ Appliance version 9.4 LTS
Apply IBM MQ Appliance fix pack 9.4.0.5, or later firmware.
Workarounds and Mitigations
Only applicable to IBM MQ Appliances configured in a High Availability group.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | mq_appliance | 9.3.0.0 | cpe:2.3:a:ibm:mq_appliance:9.3.0.0:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0. | cpe:2.3:a:ibm:mq_appliance:9.3.0.:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.1 | cpe:2.3:a:ibm:mq_appliance:9.3.0.1:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.2 | cpe:2.3:a:ibm:mq_appliance:9.3.0.2:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.3 | cpe:2.3:a:ibm:mq_appliance:9.3.0.3:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.4 | cpe:2.3:a:ibm:mq_appliance:9.3.0.4:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.5 | cpe:2.3:a:ibm:mq_appliance:9.3.0.5:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.6 | cpe:2.3:a:ibm:mq_appliance:9.3.0.6:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.10 | cpe:2.3:a:ibm:mq_appliance:9.3.0.10:*:*:*:*:*:*:* |
| ibm | mq_appliance | 9.3.0.11 | cpe:2.3:a:ibm:mq_appliance:9.3.0.11:*:*:*:*:*:*:* |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
MULTIPLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:M/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
62.0%