SB2022071109 - Multiple vulnerabilities in IBM MQ Operator
Published: July 11, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2020-15257)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.
2) Resource management error (CVE-ID: CVE-2021-21334)
The vulnerability allows an attacker to gain access to potentially sensitive information.
The vulnerability exists due to incorrect management of internal resources. Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.3) Buffer overflow (CVE-ID: CVE-2021-41771)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists in debug/macho of the Go standard library when using the debug/macho standard library (stdlib) and malformed binaries are parsed using Open or OpenFat. A remote attacker can send a specially crafted file to perform a denial of service attack.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-an-issue-in-opm-and-golang-go-packages-cve-2020-15257-cve-2021-21334-and-cve-2021-41771/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-operator-and-queue-manager-container-images-are-vulnerable-to-an-issue-in-opm-and-golang-go-packages-cve-2020-15257-cve-2021-21334-and-cve-2021-41771/</a><br><a
- https://www.ibm.com/support/pages/node/6602259"
- https://www.ibm.com/support/pages/node/6602259</a><br><br><br></p>