An IBM MQ Vulnerability has been addressed. 

Summary

In May, The NATIONAL VULNERABILITY DATABASE published that applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service (DoS). According to IBM, this left an IBM MQ Vulnerability to DoS attacks. 

IBM MQ Vulnerability Details

CVEID: CVE-2023-2650
DESCRIPTION: OpenSSL versions 3.0.x, 3.1.x, 1.1.1, and 1.0.2 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service. A remote attacker could exploit this vulnerability by sending a correctly crafted request designed to cause a denial of service.

LTS versions of MQ from 9.0 through 9.3 as well as 9.3 CD are affected. In addition, the Advanced Message Security (AMS), and MacOS Toolkit are affected. 

 

Remediation/Fixes

IBM MQ 9.0 LTS

Apply Cumulative Security Update 9.0.0.19

IBM MQ 9.1 LTS

Apply Cumulative Security Update 9.1.0.17

IBM MQ 9.2 LTS

Apply Cumulative Security Update 9.2.0.16

IBM MQ 9.3 LTS

Apply