Security Bulletin
Summary
A denial of service vulnerability was discovered within the corosync library which is used by the RDQM feature of IBM MQ and the high availability feature of IBM MQ Appliance.
Vulnerability Details
CVEID: CVE-2018-1084
DESCRIPTION: Corosync is vulnerable to a denial of service, caused by an integer overflow in exec/totemcrypto.c. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
DESCRIPTION: Corosync is vulnerable to a denial of service, caused by an integer overflow in exec/totemcrypto.c. By sending a specially-crafted packet, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/141586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
IBM MQ and IBM MQ Appliance version 9.1 LTS
versions 9.1.0.0 - 9.1.0.2
IBM MQ and IBM MQ Appliance version 9.1 CD
versions 9.1.1 - 9.1.2
Remediation/Fixes
Workarounds and Mitigations
IBM MQ RDQM is only affected when configured in a high availability (HA) group.
In most cases the IBM MQ Appliance is not affected by this issue. The exception
is when you have a high availability configuration in which the two appliances are
not directly connected (that is, they are remotely situated and connected by means of
a switch or similar).
is when you have a high availability configuration in which the two appliances are
not directly connected (that is, they are remotely situated and connected by means of
a switch or similar).
Get Notified about Future Security Bulletins
References
Off
Change History
10 May 2019: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Advisory: 15690
Distributed Product Record: 133632
Appliance Product Record: 133418
Document Location
Worldwide
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Component":"RDQM","Platform":[{"code":"PF016","label":"Linux"}],"Version":"9.1.0.0;9.1.0.1;9.1.0.2;9.1.1;9.1.2","Edition":"Advanced","Line of Business":{"code":"LOB45","label":"Automation"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS5K6E","label":"IBM MQ Appliance"},"Component":"","Platform":[{"code":"PF004","label":"Appliance"}],"Version":"9.1.0.0;9.1.0.1;9.1.0.2;9.1.1;9.1.2","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Was this topic helpful?
Document Information
Modified date:
13 May 2019
UID
ibm10879045