IBM MQ container software: CVSS (Max): 7.5

May 1, 2024

===========================================================================
AUSCERT External Security Bulletin Redistribution

ESB-2024.2759
IBM MQ Operator and Queue manager container images are vulnerable to
protobuf-go, libcurl, libexpat, Java SE, IBM GSKit-Crypto, open redirect,
buffer overflow condition and golang-fips/openssl vulnerabilities.
1 May 2024

===========================================================================

AusCERT Security Bulletin Summary
———————————

Product: IBM MQ container software
Publisher: IBM
Operating System: Red Hat
Resolution: Patch/Upgrade
CVE Names: CVE-2023-28322 CVE-2024-25048 CVE-2024-24786
CVE-2023-26159 CVE-2023-46218 CVE-2024-1394
CVE-2024-20952 CVE-2023-33850 CVE-2023-38546
CVE-2023-52425

Original Bulletin:
https://www.ibm.com/support/pages/node/7149801

Comment: CVSS (Max): 7.5 CVE-2024-25048 (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

– ————————–BEGIN INCLUDED TEXT——————–

Security Bulletin: IBM MQ Operator and Queue manager container images are
vulnerable to protobuf-go, libcurl, libexpat, Java SE, IBM GSKit-Crypto, open
redirect, buffer overflow condition and golang-fips/openssl vulnerabilities.

Document Information

Document number : 7149801
Modified date : 30 April 2024
Product : IBM MQ container software
Component : –
Software version : IBM MQ Operator 3.1.2, IBM MQ Operator 2.0.21
Operating system(s): RedHat OpenShift

Security Bulletin

Summary

IBM MQ Operator and Queue manager container images are vulnerable to
protobuf-go, libcurl, libexpat, golang-fips/openssl which were identified in
RedHat UBI. IBM MQ is vulnerable to a buffer overflow condition, phishing
attacks in open redirect , Java SE, IBM GSKit-Crypto. This bulletin identifies
the steps required to address the vulnerabilities.

Vulnerability Details

CVEID: CVE-2024-24786
DESCRIPTION: Protocol Buffers protobuf-go is vulnerable to a denial of service,
caused by an infinite loop flaw in the rotojson.Unmarshal function when
unmarshaling certain forms of invalid JSON. By sending a specially crafted
request, a remote attacker could exploit this vulnerability to cause a denial
of service condition.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
285337 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2023-46218
DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security
restrictions, caused by a mixed case flaw when curl is built without PSL
support. By sending a specially crafted request, an attacker could exploit this
vulnerability to allow a HTTP server to set “super cookies” in curl.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
273320 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2023-52425
DESCRIPTION: libexpat is vulnerable to a denial of service, caused by improper
system resource allocation. By sending a specially crafted request using an
overly large token, a remote attacker could exploit this vulnerability to cause
a denial of service.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
281438 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-25048
DESCRIPTION: IBM MQ is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking. A remote authenticated attacker could overflow a
buffer and execute arbitrary code on the system or cause the server to crash.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
283137 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2023-26159
DESCRIPTION: follow-redirects could allow a remote attacker to conduct phishing
attacks, caused by an open redirect vulnerability. An attacker could exploit
this vulnerability using a specially crafted URL to redirect a victim to
arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2024-20952
DESCRIPTION: An unspecified vulnerability in Java SE related to the Security
component could allow a remote attacker to cause high confidentiality impact
and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
279685 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2023-33850
DESCRIPTION: IBM GSKit-Crypto could allow a remote attacker to obtain sensitive
information, caused by a timing-based side channel in the RSA Decryption
implementation. By sending an overly large number of trial messages for
decryption, an attacker could exploit this vulnerability to obtain sensitive
information. IBM X-Force ID: 257132.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
257132 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2024-1394
DESCRIPTION: Golang golang-fips/openssl is vulnerable to a denial of service,
caused by memory leaks in code encrypting and decrypting rsa payloads. By using
specially crafted public RSA keys which are not compliant with SP 800-56B, a
remote attacker could exploit this vulnerability to exhaust all available
resources.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
286318 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2023-28322
DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security
restrictions, caused by a flaw in the logic for a reused handle when it is
(expected to be) changed from a PUT to a POST.. By sending a specially crafted
request, an attacker could exploit this vulnerability to cause application to
misbehave and either send off the wrong data or use memory after free or
similar in the second transfer.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
255626 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID: CVE-2023-38546
DESCRIPTION: cURL libcurl could allow a remote attacker to bypass security
restrictions, caused by a flaw in the curl_easy_duphandle function if a
transfer has cookies enabled when the handle is duplicated. By sending a
specially crafted request, an attacker could exploit this vulnerability to
insert cookies at will into a running program.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
268046 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

Issues mentioned by this security bulletin are addressed in –

o IBM MQ Operator v3.1.2 CD release that included IBM supplied MQ Advanced
9.3.5.1-r1 container image
o IBM MQ Operator v2.0.21 LTS release that included IBM supplied MQ Advanced
9.3.0.17-r1 container image

IBM strongly recommends applying the latest container images

IBM MQ Operator 3.1.2 CD release details:

IBM MQ Operator V2.0.21 LTS release details:

Workarounds and Mitigations

None

https://access.redhat.com/errata/RHSA-2024:1601
https://access.redhat.com/errata/RHSA-2024:1615
https://access.redhat.com/errata/RHSA-2024:1472
https://www.ibm.com/support/pages/node/7149481
https://www.ibm.com/support/pages/node/7142040
https://www.ibm.com/support/pages/node/7149586

Acknowledgement

Change History

30 Apr 2024: Initial Publication

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an “industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response.” IBM PROVIDES THE CVSS SCORES “”AS IS”” WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to
address potential vulnerabilities, IBM periodically updates the record of
components contained in our product offerings. As part of that effort, if IBM
identifies previously unidentified packages in a product/service inventory, we
address relevant vulnerabilities regardless of CVE date. Inclusion of an older
CVEID does not demonstrate that the referenced product has been used by IBM
since that date, nor that IBM was aware of a vulnerability as of that date. We
are making clients aware of relevant vulnerabilities as we become aware of
them. “Affected Products and Versions” referenced in IBM Security Bulletins are
intended to be only products and versions that are supported by IBM and have
not passed their end-of-support or warranty date. Thus, failure to reference
unsupported or extended-support products and versions in this Security Bulletin
does not constitute a determination by IBM that they are unaffected by the
vulnerability. Reference to one or more unsupported versions in this Security
Bulletin shall not create an obligation for IBM to provide fixes for any
unsupported or extended-support products or versions.

– ————————–END INCLUDED TEXT———————-

You have received this e-mail bulletin as a result of your organisation’s
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT’s members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation’s
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author’s website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================Security BulletinsRead More