Security Bulletin: IBM MQ is affected by issues in IBM WebSphere Application Server Liberty (CVE-2022-3509, CVE-2022-3171)
Discription

## Summary

Issues were identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality.

## Vulnerability Details

**CVEID: **[CVE-2022-3509]()
**DESCRIPTION: **protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/239915]() for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

**CVEID: **[CVE-2022-3171]()
**DESCRIPTION: **protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for binary and text format data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238394]() for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

## Affected Products and Versions

Affected Product(s) | Version(s)
—|—
IBM MQ | 9.1 LTS
IBM MQ | 9.2 LTS
IBM MQ | 9.3 LTS
IBM MQ | 9.1 CD
IBM MQ | 9.2 CD
IBM MQ | 9.3 CD

The following installable MQ components are affected by the vulnerability:

* REST API and Console

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see

## Remediation/Fixes

**IBM MQ 9.1 LTS**

Follow the instructions given in the [Applying WebSphere Liberty interim fixes to the mqweb server]( “Applying WebSphere Liberty interim fixes to the mqweb server” ) document, to apply the [IBM WebSphere Application Server Liberty fix for APAR PH50342]( “IBM WebSphere Application Server Liberty fix for APAR PH50342” ).

**IBM MQ 9.2 LTS**

[Apply Fix Pack 9.2.0.10]()

**IBM MQ 9.3 LTS**

[Apply Fix Pack 9.3.0.1]()

**IBM MQ 9.1 CD, 9.2 CD and 9.3 CD**

[Upgrade to IBM MQ Version 9.3.1]( “Upgrade to IBM MQ Version 9.3.1” )

## Workarounds and Mitigations

None

##Read More

References

Back to Main
Subscribe for the latest news: