Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Security Bulletin

Summary

Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images

Vulnerability Details

CVEID: CVE-2025-0395
DESCRIPTION: When the assert() function in the GNU C Library versions 2.13 to 2.40 fails, it does not allocate enough space for the assertion failure message string and size information, which may lead to a buffer overflow if the message string size aligns to page size.
CWE: CWE-131: Incorrect Calculation of Buffer Size
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2025-22869
DESCRIPTION: SSH servers which implement file transfer protocols are vulnerable to a denial of service attack from clients which complete the key exchange slowly, or not at all, causing pending content to be read into memory, but never transmitted.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-45336
DESCRIPTION: The HTTP client drops sensitive headers after following a cross-domain redirect. For example, a request to a.com/ containing an Authorization header which is redirected to b.com/ will not send that header to b.com. In the event that the client received a subsequent same-domain redirect, however, the sensitive headers would be restored. For example, a chain of redirects from a.com/, to b.com/1, and finally to b.com/2 would incorrectly send the Authorization header to b.com/2.
CVSS Source: CISA ADP
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2025-22870
DESCRIPTION: Matching of hosts against proxy patterns can improperly treat an IPv6 zone ID as a hostname component. For example, when the NO_PROXY environment variable is set to "*.example.com", a request to "[::1%25.example.com]:80` will incorrectly match and not be proxied.
CWE: CWE-115: Misinterpretation of Input
CVSS Source: CISA ADP
CVSS Base score: 4.4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)

CVEID: CVE-2025-22866
DESCRIPTION: Due to the usage of a variable time instruction in the assembly implementation of an internal function, a small number of bits of secret scalars are leaked on the ppc64le architecture. Due to the way this function is used, we do not believe this leakage is enough to allow recovery of the private key when P-256 is used in any well known protocols.
CVSS Source: CISA ADP
CVSS Base score: 4
CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2024-45341
DESCRIPTION: A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.
CVSS Source: CISA ADP
CVSS Base score: 6.1
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)

Version(s)

IBM MQ Operator

SC2: v3.2.0 - v3.2.11
CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3, v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1, v3.5.2

LTS: v2.0.0 - 2.0.29

Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2

IBM supplied MQ Advanced container images

SC2: 9.4.0.6-r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1

CD: 9.3.4.0-r1, 9.3.4.1-r1, 9.3.5.0-r1, 9.3.5.0-r2, 9.3.5.1-r1, 9.3.5.1-r2, 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1

LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2

Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2

Remediation/Fixes

Issues mentioned by this security bulletin are addressed in -

IBM MQ Operator v3.5.3 CD release that included IBM supplied MQ Advanced 9.4.2.1-r2 container image.
IBM MQ Operator v3.2.12 SC2 release that included IBM supplied MQ Advanced 9.4.0.11-r2 container image.
IBM MQ Container 9.4.2.1-r2 release.

IBM strongly recommends applying the latest container images.

IBM MQ Operator v3.5.3 CD release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v3.5.3	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:454dd71fd8b3b3dbd9b6ff26edabf12327dac7f821b77d7cba181bf3cc373de3
ibm-mqadvanced-server	9.4.2.1-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:f8f3413232514660182322840f87efdc5aebe49acd7a1943a90dd383df85ec2e
ibm-mqadvanced-server-integration	9.4.2.1-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:4102f67f63543b6024720a47ce96b0ffd43db1f465561f10ff2ed6b4cb699600
ibm-mqadvanced-server-dev	9.4.2.1-r2	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:a58c3a9a5550aada58a5a4db72f1b2e601e6f4f29e90d3c2a81e30abc79cea1a

IBM MQ Operator v3.2.12 SC2 release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v3.2.12	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:ad4a7da1f8e7ab1fcf6833f3ac00e7e68f248786f5731f6360eb6f38e2826129
ibm-mqadvanced-server	9.4.0.11-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:542caab203d041a88ca7141510954013b7a335fadc8d23799b4a7efa482b81fa
ibm-mqadvanced-server-integration	9.4.0.11-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:84b8a4f97f9577f07499181e5d6899881c2c143739ea220426977b94d609f0d4
ibm-mqadvanced-server-dev	9.4.0.11-r2	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:6b664c20ff577fcd28659781f8a204948e789f0c172eed149ed1ec70d6d992a5

IBM MQ Container 9.4.2.1-r2 release details:

Image	Fix Version	Registry	Image Location
ibm-mqadvanced-server	9.4.2.1-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:f8f3413232514660182322840f87efdc5aebe49acd7a1943a90dd383df85ec2e
ibm-mqadvanced-server-dev	9.4.2.1-r2	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:a58c3a9a5550aada58a5a4db72f1b2e601e6f4f29e90d3c2a81e30abc79cea1a

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

https://access.redhat.com/errata/RHSA-2025:3773

https://access.redhat.com/errata/RHSA-2025:4244

Acknowledgement

Change History

22 May 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFE2G","label":"IBM MQ container software"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"IBM MQ Operator v3.5.3, IBM MQ Operator v3.2.12, IBM MQ Container 9.4.2.1-r2","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Tips

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images