Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to Kerberos 5, OpenSSL, libexpat, golang-jwt, and GnuPG Libgcrypt

Security Bulletin

Summary

Kerberos 5, OpenSSL, libexpat, golang-jwt, GnuPG Libgcrypt and IBM MQ used by IBM MQ Operator and Queue Manager container images are vulnerable to denial of service due to improper memory allocation and server configuration validation, spoofing attacks, and providing weaker than expected security which might allow an attacker to execute arbitrary code on the system. This bulletin identifies the steps required to address these vulnerabilities.

Vulnerability Details

CVEID: CVE-2024-26461
DESCRIPTION: Kerberos 5 is vulnerable to a denial of service, caused by a memory leak in /krb5/src/lib/gssapi/krb5/k5sealv3.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-2511
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by improper server configuration validation. By using a specially crafted server configuration, a remote attacker could exploit this vulnerability to cause unbounded memory growth, and results in a denial of service condition.
CWE: CWE-16: Configuration
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2024-50602
DESCRIPTION: An issue was discovered in libexpat before 2.6.4. There is a crash within the XML_ResumeParser function because XML_StopParser can stop/suspend an unstarted parser.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-51744
DESCRIPTION: golang-jwt jwt-go could allow a remote attacker to obtain sensitive information, caused by improper error handling in ParseWithClaims. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions
CVSS Source: IBM X-Force
CVSS Base score: 3.1
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)

CVEID: CVE-2024-5535
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a buffer over-read flaw in the SSL_select_next_proto API function when calling with an empty supported client protocols buffer. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a crash or memory contents to be sent to the peer.
CWE: CWE-126: Buffer Over-read
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2024-2236
DESCRIPTION: GnuPG Libgcrypt could allow a remote attacker to obtain sensitive information, caused by a timing-based side-channel flaw in the RSA implementation. By using Bleichenbacher-style attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CWE: CWE-208: Observable Timing Discrepancy
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2024-26462
DESCRIPTION: Kerberos 5 is vulnerable to a denial of service, caused by a memory leak in /krb5/src/kdc/ndr.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-3596
DESCRIPTION: Microsoft Windows could allow a remote authenticated attacker to conduct spoofing attacks.
CWE: CWE-451: User Interface (UI) Misrepresentation of Critical Information
CVSS Source: IBM X-Force
CVSS Base score: 7.5
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2024-26458
DESCRIPTION: Kerberos 5 is vulnerable to a denial of service, caused by a memory leak in /krb5/src/lib/rpc/pmap_rmt.c. By sending a specially crafted request, a remote attacker could exploit this vulnerability to cause a denial of service.
CWE: CWE-401: Missing Release of Memory after Effective Lifetime
CVSS Source: IBM X-Force
CVSS Base score: 5.9
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2024-4741
DESCRIPTION: OpenSSL could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free flaw in the SSL_free_buffers API function. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition.
CWE: CWE-416: Use After Free
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2024-21147
DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause high confidentiality, high integrity impacts.
CWE: CWE-284: Improper Access Control
CVSS Source: IBM X-Force
CVSS Base score: 7.4
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

CVEID: CVE-2024-21140
DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause low confidentiality, low integrity impacts.
CWE: CWE-284: Improper Access Control
CVSS Source: IBM X-Force
CVSS Base score: 4.8
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

CVEID: CVE-2024-21144
DESCRIPTION: An unspecified vulnerability in Java SE related to the Concurrency component could allow a remote attacker to cause low availability impact.
CWE: CWE-284: Improper Access Control
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2024-21138
DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow a remote attacker to cause a low availability impact.
CWE: CWE-770: Allocation of Resources Without Limits or Throttling
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2023-50314
DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.8 could allow an attacker with access to the network to conduct spoofing attacks. An attacker could exploit this vulnerability using a certificate issued by a trusted authority to obtain sensitive information. IBM X-Force ID: 274713.
CWE: CWE-295: Improper Certificate Validation
CVSS Source: IBM X-Force
CVSS Base score: 5.3
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2024-4603
DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by improper input validation by the EVP_PKEY_param_check() or EVP_PKEY_public_check() function. By parsing a specially crafted DSA public key or DSA parameters, a remote attacker could exploit this vulnerability to cause long delays, and results in a denial of service condition.
CWE: CWE-1287: Improper Validation of Specified Type of Input
CVSS Source: IBM X-Force
CVSS Base score: 3.7
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

Affected Product(s)

Version(s)

IBM MQ Operator

SC2 (formerly LTS): v3.2.0 - v3.2.6
CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3, 3.3.0

LTS: v2.0.0 - 2.0.28

Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2

IBM supplied MQ Advanced container images

CD: 9.3.4.0-r1, 9.3.4.1-r1, 9.3.5.0-r1, 9.3.5.0-r2, 9.3.5.1-r1, 9.3.5.1-r2, 9.4.1.0-r1

LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus,
9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1,
9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1,
9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2,
9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3, 9.3.0.20-r1, 9.3.0.20-r2, 9.3.0.21-r1, 9.3.0.21-r2, 9.3.0.21-r3, 9.4.0.0-r1, 9.4.0.0-r2, 9.4.0.0-r3, 9.4.0.5-r1, 9.4.0.5-r2, 9.4.0.6-r1

Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2

Remediation/Fixes

Issues mentioned by this security bulletin are addressed in -

IBM MQ Operator v3.4.0 CD release that included IBM supplied MQ Advanced 9.4.1.0-r2 container image.
IBM MQ Operator v3.2.7 SC2 (formerly LTS) release that included IBM supplied MQ Advanced 9.4.0.6-r2 container image.
IBM MQ Operator v2.0.29 LTS release that included IBM supplied MQ Advanced 9.3.0.25-r1 container image.
IBM MQ Container 9.4.1.0-r2 release.

IBM strongly recommends applying the latest container images.

Note:

The above details about the fix for CVE-2024-51744 is applicable ONLY for IBM MQ Operator v2.0.29 LTS release.
The above details about the fix for CVE-2024-4603, CVE-2024-4741, CVE-2024-26461, CVE-2024-2236, CVE-2024-26458, CVE-2024-2511, CVE-2024-26462 are NOT applicable for IBM MQ Operator v2.0.29 LTS release.

IBM MQ Operator v3.4.0 CD release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v3.4.0	icr.io	cp.icr.io/cpopen/ibm-mq-operator@sha256:b331ad89a75dfede4c2075d31220fa3b25a7616a8ce62f09166f5601c92e704b
ibm-mqadvanced-server	9.4.1.0-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:01f537cf1366bacad0e3a601f7064f58d612fdf0c9589598f03b7d6b192f4542
ibm-mqadvanced-server-integration	9.4.1.0-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:aad2236aae3bb7cf78eafa8badf7486dda9cddf955c61776eafcd3b47cfff12f
ibm-mqadvanced-server-dev	9.4.1.0-r2	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:c6dfa9f5eb787f8a7ceb35696bf72ff0e6a54772e25c736858341cb6f1bf888e

IBM MQ Operator v3.2.7 SC2 (formerly LTS) release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v3.2.7	icr.io	cp.icr.io/cpopen/ibm-mq-operator@sha256:357a7d6db1196c2dc055327e9b57c5f3d262a7c597e90787ee8c27d191eaf287
ibm-mqadvanced-server	9.4.0.6-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:a422093b5f9cc9012f89a62b6f9be9c26eac9cca53338a8a867a50fe2381fe27
ibm-mqadvanced-server-integration	9.4.0.6-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:14e2ab26cd9a26b949d5ff459495e144e156cfadd1cd81872c94e0eaf6b26ffd
ibm-mqadvanced-server-dev	9.4.0.6-r2	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:8d11c5e2159f2317fc5655858834c81dc2ac6b6a3bf272ec1416e566a4164909

IBM MQ Operator V2.0.29 LTS release details:

Image	Fix Version	Registry	Image Location
ibm-mq-operator	v2.0.29	icr.io	icr.io/cpopen/ibm-mq-operator@sha256:806027108fd0051d93e93c11a3d273a76a435daeb24141d490ad82ed96a08360
ibm-mqadvanced-server	9.3.0.25-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:274e85ba65634c895232a23356fd4c9607a4e6de1cd861e8319586c5d8991f86
ibm-mqadvanced-server-integration	9.3.0.25-r1	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:54aa96d3a70d83f2aaf3354296b7f5ed8f0df9c674e3e1850441406e78245243
ibm-mqadvanced-server-dev	9.3.0.25-r1	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:763967cff2ffa98dd3ebeab0ac24507652db0d7f64240fce5f9a8eff1bee01e4

IBM MQ Container 9.4.1.0-r2 release details:

Image	Fix Version	Registry	Image Location
ibm-mqadvanced-server	9.4.1.0-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server@sha256:01f537cf1366bacad0e3a601f7064f58d612fdf0c9589598f03b7d6b192f4542
ibm-mqadvanced-server-integration	9.4.1.0-r2	cp.icr.io	cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:aad2236aae3bb7cf78eafa8badf7486dda9cddf955c61776eafcd3b47cfff12f
ibm-mqadvanced-server-dev	9.4.1.0-r2	icr.io	icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:c6dfa9f5eb787f8a7ceb35696bf72ff0e6a54772e25c736858341cb6f1bf888e

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

https://access.redhat.com/errata/RHSA-2024:9333
https://access.redhat.com/errata/RHSA-2024:9331
https://access.redhat.com/errata/RHSA-2024:9404
https://access.redhat.com/errata/RHSA-2024:8860
https://access.redhat.com/errata/RHSA-2024:9474
https://access.redhat.com/errata/RHSA-2024:9502
https://access.redhat.com/errata/RHSA-2024:9541
https://access.redhat.com/errata/RHSA-2024:7848

Acknowledgement

Change History

06 Dec 2024: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSFE2G","label":"IBM MQ container software"},"Component":"","Platform":[{"code":"PF040","label":"RedHat OpenShift"}],"Version":"IBM MQ Operator v3.4.0, IBM MQ Operator v3.2.7, IBM MQ Operator 2.0.29, IBM MQ Container 9.4.1.0-r2","Edition":"","Line of Business":{"code":"LOB67","label":"IT Automation \u0026 App Modernization"}}]

Tips

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to Kerberos 5, OpenSSL, libexpat, golang-jwt, and GnuPG Libgcrypt