Site icon API Security Blog

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to multiple vulnerabilities from Kubernetes, curl and systemd

## Summary

Multiple issues were identified in Red Hat UBI packages Kubernetes, curl, systemd that were shipped with IBM MQ Operator and IBM supplied MQ Advanced container images

## Vulnerability Details

** CVEID: **[CVE-2022-43552]()
** DESCRIPTION: **cURL libcurl is vulnerable to a denial of service, caused by a use-after-free flaw when using an HTTP proxy. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to cause a denial of service condition.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/242799]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

** CVEID: **[CVE-2022-4415]()
** DESCRIPTION: **systemd could allow a local authenticated attacker to obtain sensitive information, caused by not respecting fs.suid_dumpable kernel setting in the systemd-coredump. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 5.5
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/242796]() for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

** CVEID: **[CVE-2022-3172]()
** DESCRIPTION: **Kubernetes kube-apiserver is vulnerable to server-side request forgery, caused by a flaw with allowing an aggregated API server to redirect client traffic to any URL. By sending a specially-crafted request, an attacker could exploit this vulnerability to conduct SSRF attack to unexpected actions and the client’s API server credentials to third parties.
CVSS Base score: 5.1
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/236344]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L)

## Affected Products and Versions

Affected Product(s)| Version(s)
—|—
IBM MQ Operator| CD: v2.3.3 and prior releases
LTS: v2.0.11 and prior releases
IBM supplied MQ Advanced container images| CD: 9.3.2.1-r2 and prior releases
LTS: 9.3.0.5-r2and prior releases

## Remediation/Fixes

Issue mentioned by this security bulletin is addressed in IBM MQ Operator v2.4.0 CD release that included IBM supplied MQ Advanced 9.3.3.0-r1 container image and IBM MQ Operator v2.0.12 LTS release that included IBM supplied MQ Advanced 9.3.0.5-r3 container image.
IBM strongly recommends applying the latest container images.

**IBM MQ Operator 2.4.0 CD release details:

**

**Image**

|

**Fix Version**

|

**Registry**

|

**Image Location**

—|—|—|—

ibm-mq-operator

|

v2.4.0

|

icr.io

|

icr.io/cpopen/ibm-mq-operator@sha256:b8f1f1d07193993a08dd4c0936689495281461a6c401e70f6e8589fa77fce03f

ibm-mqadvanced-server

|

9.3.3.0-r1

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server@sha256:f599bfad3698c315d580f02856b16bdda9c40ea9c733e76a9efbb2582c282ccf

ibm-mqadvanced-server-integration

|

9.3.3.0-r1

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:46b037f1a9d9e680667243f7cb3f3b63312855e588aa1ad1b0907521ebeed9ab

ibm-mqadvanced-server-dev

|

9.3.3.0-r1

|

icr.io

|

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:d1afcf4a06842ffaf2dfe6892aad4511f2f62ee40b60bceb9c76898fa20e88a0

**IBM MQ Operator V2.0.12 LTS release details:
**

**Image**

|

**Fix Version**

|

**Registry**

|

**Image Location**

—|—|—|—

ibm-mq-operator

|

2.0.12

|

icr.io

|

icr.io/cpopen/ibm-mq-operator@sha256:7996b86486f3dd5e86c86a62270c1d9ad63f98c8a97d3ef47193cf33a5ee16f9

ibm-mqadvanced-server

|

9.3.0.5-r3

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server@sha256:57f7401c4cfe6c2e83f522731d1419798a2239a997e65fbc254730ac7cfa49cc

ibm-mqadvanced-server-integration

|

9.3.0.5-r3

|

cp.icr.io

|

cp.icr.io/cp/ibm-mqadvanced-server-integration@sha256:76b7e93f31f2d6ac29de464343d1e1bb1642e779f63a218fc33bd712d3da8ae6

ibm-mqadvanced-server-dev

|

9.3.0.5-r3

|

icr.io

|

icr.io/ibm-messaging/ibm-mqadvanced-server-dev@sha256:36f80524aaff90e57085e56b74b5a71c923b824208ab4881583680b97bfe5000

## Workarounds and Mitigations

Important Note for users of Operations Dashboard on IBM MQ LTS Queue Manager Container Images 9.3.0.x

When Operations Dashboard is enabled, the following IBM MQ LTS Queue Manager Container Images deploy
Operations Dashboard Agent and Collector images that do not contain the latest security fixes available
at the time of their GA.

– [9.3.0.5-r1]() (April 2023 GA)

– [9.3.0.5-r2]() (May 2023 GA)

IBM MQ LTS Queue Managers Container Images from [9.3.0.5-r3]() (June 2023 GA) onwards contain the latest available security fixes.

**Mitigation**: Upgrade all IBM MQ LTS 9.3.0.x Queue Managers with Operations Dashboard enabled to at least [9.3.0.5-r3]().
To complete this upgrade, follow the instructions in [Upgrading an IBM MQ queue manager using Red Hat OpenShift.]()“

##Read More

Exit mobile version