Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Security Bulletin

Summary

Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images

Vulnerability Details

CVEID: CVE-2024-12133
DESCRIPTION: A flaw in libtasn1 causes inefficient handling of specific certificate data. When processing a large number of elements in a certificate, libtasn1 takes much longer than expected, which can slow down or even crash the system. This flaw allows an attacker to send a specially crafted certificate, causing a denial of service attack.
CWE: CWE-407: Inefficient Algorithmic Complexity
CVSS Source: secalert@redhat.com
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2025-22868
DESCRIPTION: An attacker can pass a malicious malformed token which causes unexpected memory to be consumed during parsing.
CWE: CWE-1286: Improper Validation of Syntactic Correctness of Input
CVSS Source: CISA ADP
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2025-24528
DESCRIPTION: In MIT krb5 release 1.7 and later with incremental propagation enabled, an authenticated attacker can cause kadmind to write beyond the end of the mapped region for the iprop log file, likely causing a process crash.
CWE: CWE-787: Out-of-bounds Write
CVSS Source: Red Hat
CVSS Base score: 6.5
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2025-36041
DESCRIPTION: IBM MQ Native HA CRR could be configured with a private key and chain other than the intended key which could disclose sensitive information or allow the attacker to perform unauthorized actions.
CWE: CWE-295: Improper Certificate Validation
CVSS Source: IBM
CVSS Base score: 4.7
CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N)

CVEID: CVE-2024-12243
DESCRIPTION: A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing. Due to an inefficient algorithm in libtasn1, decoding certain DER-encoded certificate data can take excessive time, leading to increased resource consumption. This flaw allows a remote attacker to send a specially crafted certificate, causing GnuTLS to become unresponsive or slow, resulting in a denial-of-service condition.
CWE: CWE-407: Inefficient Algorithmic Complexity
CVSS Source: secalert@redhat.com
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2025-22871
DESCRIPTION: The net/http package improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. This can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.
CVSS Source: CISA ADP
CVSS Base score: 9.1
CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Affected Product(s)

Version(s)

IBM MQ Operator

SC2: v3.2.0 - v3.2.12
CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3, v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3

LTS: v2.0.0 - 2.0.29

Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2

IBM supplied MQ Advanced container images

SC2: 9.4.0.6-r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2

CD: 9.3.4.0-r1, 9.3.4.1-r1, 9.3.5.0-r1, 9.3.5.0-r2, 9.3.5.1-r1, 9.3.5.1-r2, 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2

LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2

Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2

Remediation/Fixes

Issues mentioned by this security bulletin are addressed in -

IBM MQ Operator v3.6.0 CD release that included IBM supplied MQ Advanced 9.4.3.0-r1 container image.
IBM MQ Operator v3.2.13 SC2 release that included IBM supplied MQ Advanced 9.4.0.11-r3 container image.
IBM MQ Container 9.4.3.0-r1 release.

Note: CVE-2025-36041 is applicable only for IBM MQ Operator v3.6.0 CD and IBM supplied MQ Advanced 9.4.3.0-r1 container image.

IBM strongly recommends applying the latest container images.

IBM MQ Operator v3.6.0 CD release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v3.6.0	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:0f0773b1274869cbfd66e234a44568c807040cfcbd6d83bd19f8701fe367d5c7
ibm-mqadvanced-server	9.4.3.0-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:d15aa903918884aab508fecf5ef40087b98839e41a5ca2fd8006e3d284508f79
ibm-mqadvanced-server-integration	9.4.3.0-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:0bfd68bb13e044d9370cd8e5706210d603c161ed21693051abcd0e025d031d75
ibm-mqadvanced-server-dev	9.4.3.0-r1	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:d12eb474412a29fecaed5605d327300393fdda4aaccb519927519af9e30661db

IBM MQ Operator v3.2.13 SC2 release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v3.2.13	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:ff8c47839f2eadb450a02e92527ecf6414ef2b06fcb94bff417f927e08feb765
ibm-mqadvanced-server	9.4.0.11-r3	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:9c6db4d923ba0666448f83296f134e8d2bc8208d265c5d3235adbbac0a904bd0
ibm-mqadvanced-server-integration	9.4.0.11-r3	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:fbe163783ce8c6810fec13eab6279222ff9087066db1164358aedb159f0ba853
ibm-mqadvanced-server-dev	9.4.0.11-r3	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:f5793579f538ec48455203a868bbf4653e24a5294efcd2af50857ed1ac41b4e9

IBM MQ Container 9.4.3.0-r1 release details:

Image	Fix Version	Registry	Image Location
ibm-mqadvanced-server	9.4.3.0-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:d15aa903918884aab508fecf5ef40087b98839e41a5ca2fd8006e3d284508f79
ibm-mqadvanced-server-dev	9.4.3.0-r1	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:d12eb474412a29fecaed5605d327300393fdda4aaccb519927519af9e30661db

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

https://access.redhat.com/errata/RHSA-2025:8476
https://access.redhat.com/errata/RHSA-2025:7067
https://access.redhat.com/errata/RHSA-2025:7077
https://access.redhat.com/errata/RHSA-2025:7076

Acknowledgement

Change History

15 Jun 2025: Updated CVE and Remediation section
13 Jun 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFE2G","label":"IBM MQ container software"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"IBM MQ Operator v3.6.0, IBM MQ Operator v3.2.13, IBM MQ Container 9.4.3.0-r1","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Tips

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images