Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Runtime Environment, Java Technology Edition.
Discription

## Summary

Multiple issues were identified with IBM Runtime Environment, Java Technology Edition, Version 8 which is shipped with IBM MQ (CVE-2023-21930, CVE-2023-21967, CVE-2023-21939, CVE-2023-21938).

## Vulnerability Details

**CVEID: **[CVE-2023-21930]()
**DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an unauthenticated attacker to cause high confidentiality impact and high integrity impact.
CVSS Base score: 7.4
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253115]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N)

**CVEID: **[CVE-2023-21967]()
**DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow a remote attacker to cause high availability impact.
CVSS Base score: 5.9
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253156]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

**CVEID: **[CVE-2023-21939]()
**DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Swing component could allow a remote attacker to cause integrity impact.
CVSS Base score: 5.3
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253168]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

**CVEID: **[CVE-2023-21938]()
**DESCRIPTION: **An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the Libraries component could allow a remote attacker to cause integrity impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/253155]() for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

## Affected Products and Versions

Affected Product(s) | Version(s)
—|—
IBM MQ | 9.0 LTS
IBM MQ | 9.1 LTS
IBM MQ | 9.2 LTS
IBM MQ | 9.3 LTS
IBM MQ | 9.3 CD

The following installable MQ components are affected by the vulnerability:

– Java messaging
– Java JRE
– Telemetry Service
– Managed File Transfer
– AMQP Service
– REST API and Console
– IBM MQ Explorer

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see

## Remediation/Fixes

These issues were resolved under APAR IT44043

**IBM MQ version 9.0 LTS for Windows, Linux, AIX**

Apply [Cumulative Security Update 9.0.0.19]()

**IBM MQ version 9.0 LTS for Solaris**

Apply [Cumulative Security Update 9.0.0.19]() followed by the [interim fix for APAR IT44043]()

**IBM MQ version 9.1 LTS **

Apply [Cumulative Security Update 9.1.0.17]()

**IBM MQ version 9.2 LTS**

Apply [Cumulative Security Update 9.2.0.16]()

**IBM MQ version 9.3 LTS**

Apply [Fix Pack 9.3.0.10]()

**IBM MQ version 9.3 CD**

Apply [Cumulative Security Update 9.3.3.1]()

## Workarounds and Mitigations

None

##Read More

References

Back to Main
Subscribe for the latest news: