SB2024091615 - Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Incorrect Privilege Assignment (CVE-ID: CVE-2024-40681)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to application does not properly impose security restrictions. An authenticated user in a specifically defined role can bypass security restrictions and execute actions against the queue manager.

2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2024-40680)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources. A local user can trigger resource exhaustion and perform a denial of service (DoS) attack.

3) Out-of-bounds read (CVE-ID: CVE-2024-37371)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when handling GSS message token. A remote attacker can send specially crafted token to the application, trigger an out-of-bounds read error and read contents of memory on the system.

4) Input validation error (CVE-ID: CVE-2024-37370)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/7167732