Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2023.4106
IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities
20 July 2023
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security QRadar SIEM
Publisher: IBM
Operating System: Linux variants
Resolution: Patch/Upgrade
CVE Names: CVE-2021-39034 CVE-2021-38949 CVE-2020-4682
CVE-2020-4338 CVE-2020-4320 CVE-2020-4310
CVE-2019-4762 CVE-2019-4719 CVE-2019-4656
CVE-2019-4655 CVE-2019-4619 CVE-2019-4614
CVE-2019-4378 CVE-2019-4261 CVE-2019-4227
CVE-2019-4055 CVE-2019-4049
Original Bulletin:
https://www.ibm.com/support/pages/node/7013143
Comment: CVSS (Max): 8.1 CVE-2020-4682 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: IBM
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: IBM MQ as used by IBM QRadar SIEM contains multiple
vulnerabilities
Document Information
Document number : 7013143
Modified date : 19 July 2023
Product : IBM Security QRadar SIEM
Component : -
Software version : 7.5
Operating system(s): Linux
Security Bulletin
Summary
IBM MQ as used by IBM QRadar SIEM contains multiple vulnerabilities. IBM QRadar
SIEM has addressed the applicable vulnerabilities.
Vulnerability Details
CVEID: CVE-2020-4682
DESCRIPTION: IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a
remote attacker to execute arbitrary code on the system, caused by an unsafe
deserialization of trusted data. An attacker could exploit this vulnerability
to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
186509 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2019-4055
DESCRIPTION: IBM MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, and
9.1.0.0 through 9.1.1 is vulnerable to a denial of service attack within the
TLS key renegotiation function. IBM X-Force ID: 156564.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156564 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4762
DESCRIPTION: IBM MQ 9.0 and 9.1 is vulnerable to a denial of service attack due
to an error in the Channel processing function. IBM X-Force ID: 173625.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
173625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-4310
DESCRIPTION: IBM MQ and MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 C
are vulnerable to a denial of service attack due to an error within the Data
Conversion logic. IBM X-Force ID: 177081.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177081 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2021-39034
DESCRIPTION: IBM MQ 9.1 LTS is vulnerable to a denial of service attack caused
by an issue within the channel process. IBM X-Force ID: 213964.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
213964 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4227
DESCRIPTION: IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2,
and 9.1.0 - 9.1.2 AMQP Listeners could allow an unauthorized user to conduct a
session fixation attack due to clients not being disconnected as they should.
IBM X-Force ID: 159352.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
159352 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2019-4261
DESCRIPTION: IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1
LTS, and IBM MQ V9.1 CD are vulnerable to a denial of service attack caused by
specially crafted messages. IBM X-Force ID: 160013.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
160013 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-4378
DESCRIPTION: IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12,
9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is
vulnerable to a denial of service attack caused by an authenticated and
authorized user using specially crafted PCF messages. IBM X-Force ID: 162084.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
162084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4614
DESCRIPTION: IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS client connecting to a
Queue Manager could cause a SIGSEGV denial of service caused by converting an
invalid message. IBM X-Force ID: 168639.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4656
DESCRIPTION: IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and
9.1 CD are vulnerable to a denial of service attack that would allow an
authenticated user to craft a malicious message causing a queue manager to
incorrectly mark a queue as damaged, requiring a restart to continue processing
against the queue. IBM X-Force ID: 170967.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
170967 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2020-4320
DESCRIPTION: IBM MQ Appliance and IBM MQ AMQP Channels 8.0, 9.0 LTS, 9.1 LTS,
and 9.1 CD do not correctly block or allow clients based on the certificate
distinguished name SSLPEER setting. IBM X-Force ID: 177403.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4049
DESCRIPTION: IBM MQ 9.1.0.0, 9.1.0.1, 9.1.1, and 9.1.0.2 is vulnerable to a
denial of service due to a local user being able to fill up the disk space of
the underlying filesystem using the error logging service. IBM X-Force ID:
156398.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
156398 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-4619
DESCRIPTION: IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and
9.1 CD could allow a local attacker to obtain sensitive information by
inclusion of sensitive data within trace. IBM X-Force ID: 168862.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
168862 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-4719
DESCRIPTION: IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and
9.1 CD could allow a local attacker to obtain sensitive information by
inclusion of sensitive data within runmqras data.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172124 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2020-4338
DESCRIPTION: IBM MQ 9.1.4 could allow a local attacker to obtain sensitive
information by inclusion of sensitive data within runmqras data. IBM X-Force
ID: 177937.
CVSS Base score: 5.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
177937 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2021-38949
DESCRIPTION: IBM MQ 7.5, 8.0, 9.0 LTS, 9.1 CD, and 9.1 LTS stores user
credentials in plain clear text which can be read by a local user. IBM X-Force
ID: 211403.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
211403 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2019-4655
DESCRIPTION: IBM MQ 9.1.0.0, 9.1.0.1, 9.1.0.2, 9.1.0.3, 9.1.1, 9.1.2, and 9.1.3
is vulnerable to a denial of service attack that would allow an authenticated
user to reset client connections due to an error within the Data Conversion
routine. IBM X-Force ID: 170966.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
170966 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)
Affected Products and Versions
+----------------+------------------------------------------------------------+
|Affected Product|Version(s) |
|(s) | |
+----------------+------------------------------------------------------------+
|IBM QRadar SIEM |All MQJMS versions before |
| |7.4.0-QRADAR-PROTOCOL-MQJMS-7.4-20230327175451 |
+----------------+------------------------------------------------------------+
|IBM QRadar SIEM |All MQJMS versions before |
| |7.5.0-QRADAR-PROTOCOL-MQJMS-7.5-20230327175444 |
+----------------+------------------------------------------------------------+
Remediation/Fixes
IBM encourages customers to update their systems promptly.
+---------------+-------+----------------------------------------------+
|Product |Version|Remediation/First Fix |
+---------------+-------+----------------------------------------------+
|IBM QRadar SIEM|7.5.0 |7.5.0-QRADAR-PROTOCOL-MQJMS-7.5-20230327175444|
+---------------+-------+----------------------------------------------+
|IBM QRadar SIEM|7.4.0 |7.4.0-QRADAR-PROTOCOL-MQJMS-7.4-20230327175451|
+---------------+-------+----------------------------------------------+
Workarounds and Mitigations
None
These files were released as part of the 16 May 2023 auto update bundle.
Administrators can confirm the protocol version installed on the Console from
the Auto Update interface on the Admin tab or using yum info PROTOCOL-MQJMS
from the command-line interface to confirm the latest version is installed.
For example:
[root@examplehost]# yum info PROTOCOL-MQJMS
Loaded plugins: product-id, search-disabled-repos
Installed Packages
Name : PROTOCOL-MQJMS
Arch : noarch
Version : 7.5
Release : 20230327175444
Size : 8.6 M
Repo : installed
- From repo : /PROTOCOL-MQJMS-7.5-20230327175444.noarch
Summary : PROTOCOL null Install
URL : www.ibm.com
License : IBM Corp.
Description :
Acknowledgement
Change History
19 Jul 2023: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF
ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to
address potential vulnerabilities, IBM periodically updates the record of
components contained in our product offerings. As part of that effort, if IBM
identifies previously unidentified packages in a product/service inventory, we
address relevant vulnerabilities regardless of CVE date. Inclusion of an older
CVEID does not demonstrate that the referenced product has been used by IBM
since that date, nor that IBM was aware of a vulnerability as of that date. We
are making clients aware of relevant vulnerabilities as we become aware of
them. "Affected Products and Versions" referenced in IBM Security Bulletins are
intended to be only products and versions that are supported by IBM and have
not passed their end-of-support or warranty date. Thus, failure to reference
unsupported or extended-support products and versions in this Security Bulletin
does not constitute a determination by IBM that they are unaffected by the
vulnerability. Reference to one or more unsupported versions in this Security
Bulletin shall not create an obligation for IBM to provide fixes for any
unsupported or extended-support products or versions.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBZLjDuskNZI30y1K9AQgQjQ/7BGkejjXsOKJrZpGjEUf1RWISpvCL0mAQ
nIVBWvyKbgW8KkZ6V/J3jALKtMMLyo4Ny/XF04MIxrg/hrdKp9qSbZ1huErOIlKx
2voRrRx/53t0iBtZgP6R2Qvm8lwuYGOfSPLjRHUXb1kvINOlCDRSfjnEAutce73/
ZotwT5Z3FJZuSSYlDIZmbr0cTJR+VOjnm39CtN/Npa1hvcT6zyvjXjJS2hGL54Q2
7XMJNeZCmRIH+3m4wHCp9kO5yAXDQoyeTYMFl1UrTpyxwZo4XS+lNXnNY05DDo1i
MtQaNPkwpvx/5KL/fgE+Py9y/4cHAS5fX5hbHzNY4CTlc3IglIR1zaJWOlkf+gHO
GINnRUFRVfrJZZblUv2P9wHY8K+GuYKZd7wlbx8oqj6F9wjSkmj/DK5tJlaf6kla
h92tCIcRVDn2ERzseaSbVPpYF53dZcIsJ3Zt3d1yASAWLbJwbVc+FeacTdb3rWeY
pN90p6drir343LUcX/4ooX5JhtXIWC/IfoJy3XKmYw6j2cPgwbotyx0/lcoZrC3o
uDk7zA+NMjtk9WxQAadID8kb0U3p2MvcmM+FvJYhSpdf0JSlbZDUj0z4hB4nqu97
R9SlABDhKJgg8QFB+1Fm4bDcu5D2IdlHj977najVoZ2tzry8FiZGVHgF567Big9Q
2c86gPoV8cs=
=D0YH
-----END PGP SIGNATURE-----