IBM Support

Security Bulletin: Multiple vulnerabilities in IBM MQ Operator and Queue manager container images

Security Bulletin


Summary

Multiple vulnerabilities were addressed in IBM MQ Operator and Queue manager container images

Vulnerability Details

CVEID:   CVE-2025-36047
DESCRIPTION:   IBM WebSphere Application Server Liberty 18.0.0.2 through 25.0.0.8 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume memory resources.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   IBM
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2025-48976
DESCRIPTION:   Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: from 1.0 before 1.6; from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to versions 1.6 or 2.0.0-M4, which fix the issue.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   CISA ADP
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2020-36732
DESCRIPTION:   The crypto-js package before 3.2.1 for Node.js generates random numbers by concatenating the string "0." with an integer, which makes the output more predictable than necessary.
CWE:   CWE-330: Use of Insufficiently Random Values
CVSS Source:   NVD
CVSS Base score:   5.3
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2024-56339
DESCRIPTION:   IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor security configuration.
CWE:   CWE-650: Trusting HTTP Permission Methods on the Server Side
CVSS Source:   IBM
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2025-58754
DESCRIPTION:   Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.
CWE:   CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source:   security-advisories@github.com
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2025-36000
DESCRIPTION:   IBM WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.8 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CWE:   CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS Source:   IBM
CVSS Base score:   4.4
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM MQ Operator

SC2: v3.2.0 - v3.2.18

CD:  v3.3.0, v3.4.0, v3.4.1, v3.5.0, v3.5.1 - v3.5.3, v3.6.0 - v3.6.4, v3.7.0, v3.7.1

LTS: v2.0.0 - 2.0.29

IBM supplied MQ Advanced container images

SC2: 9.4.0.6-r1, 9.4.0.6-r2, 9.4.0.7-r1, 9.4.0.10-r1, 9.4.0.10-r2, 9.4.0.11-r1, 9.4.0.11-r2, 9.4.0.11-r3, 9.4.0.12-r1, 9.4.0.15-r1 - 9.4.0.15-r4

CD: 9.4.1.0-r1, 9.4.1.0-r2, 9.4.1.1-r1, 9.4.2.0-r1, 9.4.2.0-r2, 9.4.2.1-r1, 9.4.2.1-r2, 9.4.3.0-r1, 9.4.3.0-r2, 9.4.3.1-r1 - 9.4.3.1-r3, 9.4.4.0-r1, 9.4.4.0-r2

LTS: 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.3.0.25-r1, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2 

 

 

Remediation/Fixes

Issues mentioned by this security bulletin are addressed in -

  • IBM MQ Operator v3.7.2 CD release that included IBM supplied MQ Advanced 9.4.4.0-r3 container image. 
  • IBM MQ Operator v3.2.19 SC2 release that included IBM supplied MQ Advanced 9.4.0.16-r1 container image.
  • IBM MQ Container 9.4.4.0-r3 release.

IBM strongly recommends applying the latest container images. 

IBM MQ Operator v3.7.2 CD release details:

Image

Fix Version

Registry

Image Location

ibm-mq-operator

v3.7.2

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:4d83ff2ac825793974fdd74c9302ab346f54f57eb4d5f5c731132228248c7cc3

ibm-mqadvanced-server

9.4.4.0-r3

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:0d7b8c369169d0999c8e8cabf58f195c8cacc9f92754d81d2037fbb0a9379b55

ibm-mqadvanced-server-integration

9.4.4.0-r3

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:1622325d3e10932b9124f51f15fce3906bfee450c2e74f503e3f5ad4bd806ca1

ibm-mqadvanced-server-dev

9.4.4.0-r3

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:2699c73a3ba2fcea4ad47723d2a3ad573331eb51f90d795eb0d97dbb6442e0ef


IBM MQ Operator v3.2.19 SC2 release details:

Image

Fix Version

Registry

Image Location

ibm-mq-operator

v3.2.19

icr.io

icr.io/cpopen/ibm-mq-operator@sha256:a7a405b76a0e5da0ae6a07fa959965770313b59103b92883b45df2bc349cc315

ibm-mqadvanced-server

9.4.0.16-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:c6bbdac0be01b7f569fd9939f0004dac00fef7dba828e427e9c029bb3c3fa650

ibm-mqadvanced-server-integration

9.4.0.16-r1

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:d397c49e56297d7d2eb1ca3b0a2dc62603d8587b803ce9543ae8e8a6c750515d

ibm-mqadvanced-server-dev

9.4.0.16-r1

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:6fc44adca649f2ab075735599df7b124f808e3e213e09829666a11eee9554883

 

IBM MQ Container 9.4.4.0-r3 release details:

Image

Fix Version

Registry

Image Location

ibm-mqadvanced-server

9.4.4.0-r3

cp.icr.io

cp.icr.io/cp/ibm-mqadvanced-server@sha256:0d7b8c369169d0999c8e8cabf58f195c8cacc9f92754d81d2037fbb0a9379b55

ibm-mqadvanced-server-dev

9.4.4.0-r3

icr.io

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:2699c73a3ba2fcea4ad47723d2a3ad573331eb51f90d795eb0d97dbb6442e0ef

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

14 Nov 2025: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFE2G","label":"IBM MQ container software"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"IBM MQ Operator v3.7.2, IBM MQ Operator v3.2.19, IBM MQ Container 9.4.4.0-r3","Edition":"","Line of Business":{"code":"LOB77","label":"Automation Platform"}}]

Document Information

Modified date:
14 November 2025

UID

ibm17251247

Page Feedback