## Summary
Issues were identified in IBM WebSphere Application Server Liberty, which IBM MQ ships and uses to supply IBM MQ Console and IBM MQ REST API functionality.
## Vulnerability Details
**CVEID: **[CVE-2022-3509]()
**DESCRIPTION: **protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for textformat data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/239915]() for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
**CVEID: **[CVE-2022-3171]()
**DESCRIPTION: **protobuf-java core and lite are vulnerable to a denial of service, caused by a flaw in the parsing procedure for binary and text format data. By sending non-repeated embedded messages with repeated or unknown fields, a remote authenticated attacker could exploit this vulnerability to cause long garbage collection pauses.
CVSS Base score: 5.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/238394]() for the current score.
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
## Affected Products and Versions
Affected Product(s) | Version(s)
—|—
IBM MQ | 9.1 LTS
IBM MQ | 9.2 LTS
IBM MQ | 9.3 LTS
IBM MQ | 9.1 CD
IBM MQ | 9.2 CD
IBM MQ | 9.3 CD
The following installable MQ components are affected by the vulnerability:
* REST API and Console
If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see
## Remediation/Fixes
**IBM MQ 9.1 LTS**
Follow the instructions given in the [Applying WebSphere Liberty interim fixes to the mqweb server]( “Applying WebSphere Liberty interim fixes to the mqweb server” ) document, to apply the [IBM WebSphere Application Server Liberty fix for APAR PH50342]( “IBM WebSphere Application Server Liberty fix for APAR PH50342” ).
**IBM MQ 9.2 LTS**
[Apply Fix Pack 9.2.0.10]()
**IBM MQ 9.3 LTS**
[Apply Fix Pack 9.3.0.1]()
**IBM MQ 9.1 CD, 9.2 CD and 9.3 CD**
[Upgrade to IBM MQ Version 9.3.1]( “Upgrade to IBM MQ Version 9.3.1” )
## Workarounds and Mitigations
None