IBM MQ Vulnerability Addressed – Denial of Service Denied

By |Published On: September 4th, 2023|1 min read|
Table of Contents

An IBM MQ Vulnerability has been addressed. 

Summary

In May, The NATIONAL VULNERABILITY DATABASE published that applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service (DoS). According to IBM, this left an IBM MQ Vulnerability to DoS attacks. 

IBM MQ Vulnerability Details

CVEID: CVE-2023-2650
DESCRIPTION: OpenSSL versions 3.0.x, 3.1.x, 1.1.1, and 1.0.2 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service. A remote attacker could exploit this vulnerability by sending a correctly crafted request designed to cause a denial of service.
LTS versions of MQ from 9.0 through 9.3 as well as 9.3 CD are affected. In addition, the Advanced Message Security (AMS), and MacOS Toolkit are affected. 
 

Remediation/Fixes

IBM MQ 9.0 LTS

Apply Cumulative Security Update 9.0.0.19

IBM MQ 9.1 LTS

Apply Cumulative Security Update 9.1.0.17

IBM MQ 9.2 LTS

Apply Cumulative Security Update 9.2.0.16

IBM MQ 9.3 LTS

Apply Fix Pack 9.3.0.10

For the IBM MQ MacOS Toolkit, the fix is to upgrade to the latest version of the MacOS Toolkit

There are no other workarounds or mitigations. 

 

 

Click here to learn about a secure, cloud-ready, single-interface solution for administration, monitoring, synthetic transactions, user Auditing, and in-depth analytics of your IBM MQ environment.

More Infrared360® Resources

About the Author: Peter D'Agosta

Peter D’Agosta has been in IT for more than 35 years. Cofounder/COO and Product Manager at Avada Software, his background includes application and systems programming, enterprise architecture, consulting, management, analysis, strategic 24/7 systems including airline, banking, and internet, as well as technology innovation. Peter oversaw infrastructures for airlines, branch banking, and online service companies before moving into the software vendor arena where he worked with new innovations in email, messaging, portal and web service technology. Interspersed with engagements for some of the world’s largest companies, Peter’s varied background provides him a unique perspective in applied technology.
Go to Top