An IBM MQ Vulnerability was identified with the Jackson library that is used within the IBM MQ Console to provide REST API functionality. The issue was announced on June 22, 2022. The Jackson library is only used in IBM MQ Versions 9.2.4 and above.
The description of the issue is as follows:
FasterXML jackson-databind is vulnerable to a denial of service, caused by an error when using JDK serialization to serialize and deserialize JsonNode values. By sending a specially crafted request, an attacker could exploit this vulnerability to cause a denial of service.
This issue was resolved under APAR IT40453, for IBM MQ Version 9.2.4 CD and IBM MQ Version 9.2.5 CD you must upgrade to Version 9.3.
IBM says there are no workarounds and mitigations, the only solution is to upgrade.
Trusted Spaces for Smart, Secure IBM MQ Administration.
Security is critical for your enterprise messaging and integration environment. Infrared360’s unique Trusted Spaces™ feature lets you keep users seeing and working only in the areas they should and promotes secure collaboration across departments, teams, locations, and partners. This powerful feature set allows or limits visibility to objects such as Queues, Topics, Consumers, Channels, Applications, Flows, and other integration-type server resources according to the “permissions” or “role” of the user. Trusted Spaces enables secure, smart, self-service IT administration to save you and your team effort and time that can be better utilized elsewhere.
Avada Software’s flagship product, Infrared360®, is an IT management portal providing total administration, monitoring, testing, auditing, analytics dashboards, and self-service for cloud, on-prem, or hybrid environments. Get secure, collaborative management of elements across your IT stack like Kafka®, IBM MQ™, IBM IIB™, TIBCO EMS™, WebSphere™, JBoss™, & Apache™, URLs, and SOAP & REST-based web services.
New IBM MQ Explorer Vulnerability A new IBM MQ Explorer vulnerability has been announced. MQ Explorer is vulnerable to an XML External Entity Injection (XXE) attack due to improper XML validation in the import Wizard. CVE(s): CVE-2022-22489 Affected product(s) and [...]
Ensure Data Availability and Integrity with the new IBM MQ Appliance, M2003 Thu, Aug 11, 2022 12:00 PM EDT SummaryThe IBM MQ Appliance M2003 brings together next-generation hardware and IBM MQ firmware, packed with the latest updates, to provide [...]
Posted 8/1/2022 on the IBM Support Page IBM MQ multi-instance and RDMQ require same userid for user 'mqm' and same groupid for group 'mqm' across nodes. Read this article to learn discrepancies with the file ownership when [...]
An IBM WebSphere Application Server Vulnerability has been addressed. CVE-2022-22476 On July 8, 2022, The National Vulnerability Database published that IBM WebSphere Application Server Liberty 126.96.36.199 through 188.8.131.52 and Open Liberty are vulnerable to identity spoofing by an authenticated [...]