Security Bulletin: IBM MQ is affected by vulnerabilities in libcURL (CVE-2023-23916, CVE-2023-27535)

Summary Multiple issues were identified within the libcurl library that affect IBM MQ. IBM MQ uses libcurl to provide HTTPURL functionality which is only used to download remote CCDT files and is not used to send or receive messages. Vulnerability Details CVEID:CVE-2023-23916 DESCRIPTION: cURL...

Security Bulletin: IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. (CVE-2022-31772)

Summary IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. Vulnerability Details CVEID:CVE-2022-31772 DESCRIPTION: IBM MQ could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. CVSS Base score: 5....

Security Bulletin: IBM MQ is vulnerable to an issue within the Zlib library (CVE-2018-25032)

Summary An issue was identified within the Zlib library that affects IBM MQ. IBM MQ uses Zlib to perform message compression. Vulnerability Details CVEID:CVE-2018-25032 DESCRIPTION: Zlib is vulnerable to a denial of service, caused by a memory corruption in the deflate operation. By using many...

Security Bulletin: IBM MQ WebConsole and REST API are affected by CVE-2021-39031.

Summary An issue was identified within the IBM WebSphere Application Server Liberty profile that IBM MQ uses to provide web console and REST API functionality. Vulnerability Details CVEID: CVE-2021-39031 DESCRIPTION: IBM WebSphere Application Server - Liberty 17.0.0.3 through 22.0.0.1 could allow...

Security Bulletin: IBM MQ Blockchain bridge dependencies are vulnerable to an issue in Apache Log4j (CVE-2021-45046)

Summary A Remote Code Execution issue was identified within the Log4j fix for CVE-2021-44228 that is used by Fabric Gateway to provide logging functionality. Fabric Gateway is used by the IBM MQ blockchain bridge component of IBM MQ to provide connection capability between IBM MQ queue managers a...

Security Bulletin: IBM MQ is vulnerable to multiple Jetty vulnerabilities (CVE-2021-34428, CVE-2021-34429, CVE-2021-28169)

Summary Multiple issues were identified in Eclipse Jetty that IBM MQ Explorer uses and is affected by. Vulnerability Details CVEID: CVE-2021-34428 DESCRIPTION: Eclipse Jetty could allow a physical attacker to bypass security restrictions, caused by a session ID is not invalidated flaw when an...

Security Bulletin: IBM MQ Appliance is affected by an OpenLDAP vulnerability (CVE-2020-25692)

Summary IBM MQ Appliance has resolved an OpenLDAP vulnerability. Vulnerability Details CVEID: CVE-2020-25692 DESCRIPTION: OpenLDAP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted TCP packet, a remote attacker could exploit this...

Security Bulletin: IBM MQ Appliance affected by an OpenSSL vulnerability (CVE-2020-1968)

Summary IBM MQ Appliance has resolved and OpenSSL vulnerability. Vulnerability Details CVEID: CVE-2020-1968 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a Raccoon attack in the TLS specification. By computing the pre-master secret in connections...

Security Bulletin: IBM MQ Appliance is affected by libxslt vulnerabilities (CVE-2019-11068, CVE-2019-18197)

Summary IBM MQ Appliance has resolved libxslt vulnerabilities. Vulnerability Details CVEID: CVE-2019-11068 DESCRIPTION: libxslt could allow a remote attacker to bypass security restrictions, caused by a flaw in the xsltCheckRead and xsltCheckWrite routines. By sending a specially-crafted request,...

CVE-2020-4931

IBM MQ AMQP Channels in IBM MQ 9.1 LTS, 9.2 LTS, and 9.1 CD are affected by a vulnerability that allows an authenticated user to trigger a denial-of-service by processing messages incorrectly. The issue is addressed under APAR IT34485, with fixes/updates available per product version: IBM MQ v8 (...

Security Bulletin: IBM MQ Appliance is affected by multiple BIND vulnerabilities (CVE-2020-8622, CVE-2020-8623, CVE-2020-8624)

Summary IBM MQ Appliance has resolved multiple BIND vulnerabilities. Vulnerability Details CVEID: CVE-2020-8622 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by an assertion failure when attempting to verify a truncated response to a TSIG-signed request. By sending a...

CVE-2020-4592

IBM MQ vulnerability CVE-2020-4592 affects IBM MQ Appliance and related MQ offerings. A data corruption issue can be triggered by an authenticated user under nondefault configuration due to an error in the segmented messages handling in the queue manager processing logic. Affected products includ...

Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2020-4528)

Summary IBM MQ Appliance has resolved an information disclosure vulnerability. Vulnerability Details CVEID: CVE-2020-4528 DESCRIPTION: IBM MQ Appliance could allow a local user, under special conditions, to obtain highly sensitive information from log files. CVSS Base score: 5.9 CVSS Temporal...

Security Bulletin: IBM MQ is affected by a vulnerability within IBM WebSphere Liberty (CVE-2020-4329)

Summary A vulnerability has been found within the version of IBM WebSphere Liberty shipped with IBM MQ. Vulnerability Details CVEID: CVE-2020-4329 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0 and Liberty 17.0.0.3 through 20.0.0.4 could allow a remote, authenticated attacker to...

CVE-2020-4498

IBM MQ Appliance 9.1 LTS and 9.1 CD are affected by CVE-2020-4498, an information-disclosure vulnerability caused by inclusion of data in trace files. A local privileged user can obtain highly sensitive information from trace output. Remediation: upgrade IBM MQ Appliance to 9.1 LTS with fixpack 9...

Security Bulletin: IBM MQ Appliance is vulnerable to a buffer overflow vulnerability (CVE-2020-4465)

Summary IBM MQ Appliance has resolved a buffer overflow vulnerability. Vulnerability Details CVEID: CVE-2020-4465 DESCRIPTION: IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop are vulnerable to a buffer overflow vulnerability due to an error within the channel processing code. A remote attack...

Security Bulletin: Multiple Security Vulnerabilities in IBM MQ Affect IBM Sterling B2B Integrator

Summary IBM Sterilng B2B Integrator has addressed multiple security vulnerabilities in IBM MQ Vulnerability Details CVEID: CVE-2019-4619 DESCRIPTION: IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD could allow a local attacker to obtain sensitive information by inclusion o...

Security Bulletin: IBM MQ Appliance is affected by an information disclosure vulnerability (CVE-2018-20852)

Summary IBM MQ Appliance has resolved an information disclosure vulnerability. Vulnerability Details CVEID: CVE-2018-20852 DESCRIPTION: Python could allow a remote attacker to obtain sensitive information, caused by the failure to correctly validate the domain by...

Security Bulletin: IBM MQ Appliance is affected by a denial of service vulnerability (CVE-2019-13232)

Summary IBM MQ Appliance has addressed the following denial of service vulnerability. Vulnerability Details CVEID: CVE-2019-13232 DESCRIPTION: Info-ZIP UnZip is vulnerable to a denial of service, caused by mishandling the overlapping of files inside a ZIP container. By persuading a victim to open...

Security Bulletin: IBM MQ Appliance is affected by a buffer overflow vulnerability (CVE-2015-2716)

Summary IBM MQ Appliance has resolved a buffer overflow vulnerability. Vulnerability Details CVEID: CVE-2015-2716 DESCRIPTION: Expat, as used in Mozilla Firefox and Thunderbird, is vulnerable to a buffer overflow, caused by improper bounds checking by the XML parser. By persuading a victim to ope...