Security Bulletin: Multiple IBM MQ vulnerabilities affect IBM Sterling Global Mailbox

Security Bulletin

Summary

IBM MQ is shipped with IBM Sterling Global Mailbox. Multiple vulnerabilities impacts IBM MQ. Remediation is available for the issues.

Vulnerability Details

CVEID: CVE-2019-4227
DESCRIPTION: IBM MQ 8.0.0.4 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 AMQP Listeners could allow an unauthorized user to conduct a session fixation attack due to clients not being disconnected as they should. IBM X-Force ID: 159352.
CVSS Base score: 5.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/159352 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2019-4620
DESCRIPTION: IBM MQ Appliance 8.0 and 9.0 LTS could allow a local attacker to bypass security restrictions caused by improper validation of environment variables. IBM X-Force ID: 168863.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168863 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4762
DESCRIPTION: IBM MQ 9.0 and 9.1 is vulnerable to a denial of service attack due to an error in the Channel processing function. IBM X-Force ID: 173625.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-4310
DESCRIPTION: IBM MQ and MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 C are vulnerable to a denial of service attack due to an error within the Data Conversion logic. IBM X-Force ID: 177081.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177081 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-4375
DESCRIPTION: IBM MQ, IBM MQ Appliance, IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS could allow an attacker to cause a denial of service due to a memory leak caused by an error creating a dynamic queue. IBM X-Force ID: 179080.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/179080 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-4682
DESCRIPTION: IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/186509 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2019-4261
DESCRIPTION: IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS, and IBM MQ V9.1 CD are vulnerable to a denial of service attack caused by specially crafted messages. IBM X-Force ID: 160013.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160013 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2019-4378
DESCRIPTION: IBM MQ 7.5.0.0 - 7.5.0.9, 7.1.0.0 - 7.1.0.9, 8.0.0.0 - 8.0.0.12, 9.0.0.0 - 9.0.0.6, 9.1.0.0 - 9.1.0.2, and 9.1.0 - 9.1.2 command server is vulnerable to a denial of service attack caused by an authenticated and authorized user using specially crafted PCF messages. IBM X-Force ID: 162084.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/162084 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-4614
DESCRIPTION: IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS client connecting to a Queue Manager could cause a SIGSEGV denial of service caused by converting an invalid message. IBM X-Force ID: 168639.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/168639 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2019-4656
DESCRIPTION: IBM MQ and IBM MQ Appliance 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD are vulnerable to a denial of service attack that would allow an authenticated user to craft a malicious message causing a queue manager to incorrectly mark a queue as damaged, requiring a restart to continue processing against the queue. IBM X-Force ID: 170967.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170967 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-4267
DESCRIPTION: IBM MQ and MQ Appliance 8.0, 9.1 LTS, and 9.1 CD could allow an authenticated user cause a denial of service due to a memory leak. IBM X-Force ID: 175840.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175840 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-4320
DESCRIPTION: IBM MQ Appliance and IBM MQ AMQP Channels 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD do not correctly block or allow clients based on the certificate distinguished name SSLPEER setting. IBM X-Force ID: 177403.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/177403 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2020-4465
DESCRIPTION: IBM MQ, IBM MQ Appliance, and IBM MQ for HPE NonStop 8.0, 9.1 CD, and 9.1 LTS is vulnerable to a buffer overflow vulnerability due to an error within the channel processing code. A remote attacker could overflow the buffer using an older client and cause a denial of service. IBM X-Force ID: 181562.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181562 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM Sterling Global Mailbox	6.1.x
IBM Sterling Global Mailbox	6.0.x

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM MQ which is/are shipped with Global Mailbox.

Product(s)	Version(s)	Instructions
IBM Sterling Global Mailbox	6.0.3.5	See B2Bi v6.0.3.5 section below
IBM Sterling Global Mailbox	6.1.0.3	See B2Bi v6.1.0.3 section below
IBM Sterling Global Mailbox	6.1.1.0	See B2Bi v6.1.1.0 section below

B2Bi v6.0.3.5

IIM

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.0.3.3&platform=All&function=fixId&fixids=6.0.3.5-OtherSoftware-B2Bi-All&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.0.3.3&platform=All&function=fixId&fixids=6.0.3.5-OtherSoftware-SFG-All&includeSupersedes=0

Docker

Sterling B2B Integrator

Sterling File Gateway

B2Bi v6.1.1.0 -

Documentation Link https://www.ibm.com/docs/en/b2b-integrator/6.1.1

What’s New in 6.1.1.0 https://www.ibm.com/docs/en/b2b-integrator/6.1.1?topic=integrator-whats-new-in-6110

Note:-

6.1.1.0 is an IIM only release.
6.1.1.0 is available only on passport advantage.

B2Bi v6.1.0.3 -

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.0.2&platform=All&function=fixId&fixids=6.1.0.3-OtherSoftware-B2Bi-All&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.0.2&platform=All&function=fixId&fixids=6.1.0.3-OtherSoftware-SFG-All&includeSupersedes=0

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.0.3

Certified Container Image

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.0.3

Helm Chart

https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.0.3.tgz

IBM Sterling File Gateway V6.1.0.3

Certified Container Image

cp.icr.io/cp/ibm-sfg/sfg:6.1.0.3

Helm Chart

https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.0.3.tgz

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Change History

14 Feb 2022: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Product":{"code":"SS6EA4","label":"IBM Global High Availability Mailbox"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.1.1.0","Edition":""}]

Was this topic helpful?

Document Information

Modified date:
22 February 2022

Initial Publish date:
14 February 2022

UID

ibm16558536

Tips

Security Bulletin: Multiple IBM MQ vulnerabilities affect IBM Sterling Global Mailbox