An IBM MQ Vulnerability has been addressed.
Summary
In May, The NATIONAL VULNERABILITY DATABASE published that applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a Denial of Service (DoS). According to IBM, this left an IBM MQ Vulnerability to DoS attacks.
IBM MQ Vulnerability Details
CVEID: CVE-2023-2650
DESCRIPTION: OpenSSL versions 3.0.x, 3.1.x, 1.1.1, and 1.0.2 are susceptible to a vulnerability which when successfully exploited could lead to Denial of Service. A remote attacker could exploit this vulnerability by sending a correctly crafted request designed to cause a denial of service.LTS versions of MQ from 9.0 through 9.3 as well as 9.3 CD are affected. In addition, the Advanced Message Security (AMS), and MacOS Toolkit are affected.Remediation/Fixes
IBM MQ 9.0 LTS
Apply Cumulative Security Update 9.0.0.19
IBM MQ 9.1 LTS
Apply Cumulative Security Update 9.1.0.17
IBM MQ 9.2 LTS
Apply Cumulative Security Update 9.2.0.16
IBM MQ 9.3 LTS
Apply Fix Pack 9.3.0.10
For the IBM MQ MacOS Toolkit, the fix is to upgrade to the latest version of the MacOS Toolkit
There are no other workarounds or mitigations.
Click here to learn about a secure, cloud-ready, single-interface solution for administration, monitoring, synthetic transactions, user Auditing, and in-depth analytics of your IBM MQ environment.
More Infrared360® Resources