Multiple issues in versions of Eclipse Jetty may make IBM MQ Vulnerable as it uses them to provide Web Console, REST API, Salesforce Bridge and Blockchain bridge functionality.

Affected versions include: IBM MQ 9.1 LTS , IBM MQ 9.2 CD, IBM MQ 9.1 CD, IBM MQ 9.2 LTS

Under this announcement, multiple issues were covered:

1. According to the announcement Eclipse Jetty could allow a remote attacker to obtain sensitive information, caused by a flaw which makes it possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory . For example a request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. An attacker could exploit this vulnerability to obtain sensitive information from protected resources within the WEB-INF directory, and use this information to launch further attacks against the affected system.
   See CVE-2021-28169
2. For applicable Eclipse Jetty versions, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. This can result in an application used on a shared computer being left logged in and enables an attacker gain access to the application.
   See CVE-2021-34428
3. If the ${jetty.base} directory or the ${jetty.base}/webapps directory is a symlink the directory may be deployed as a static web application, exposing the webapps themselves and anything else that might be in that directory as available for download. The exploiter would need to send a specially-crafted request to exploit this vulnerability but could use this to launch further attacks against.
   See CVE-2021-28163
4. In Jetty the default compliance mode allows specifically crafted requests with URIs that contain %2e or %2e%2e segments to access protected resources within the WEB-INF directory. An attacker can use this vulnerability to reveal sensitive information regarding the implementation of a web application.
   See CVE-2021-28164
5. For applicable Eclipse Jetty versions, URIs can be crafted using encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This could allow a remote attacker to obtain sensitive information and use that information to launch further attacks against the affected system.
   See CVE-2021-34429
6. In Eclipse Jetty a denial of service attack could be caused by sending a large invalid TLS frame and causing CPU usage to reach 100%.
   See CVE-2021-28165

Remediation and fixes listed by IBM are:

For IBM MQ 9.1 LTS, Apply FixPack 9.1.0.10

for IBM MQ 9.2 LTS, Apply FixPack 9.2.0.3

For IBM MQ 9.1 CD and 9.2 CD, Upgrade to IBM MQ 9.2.5

IBM updated their IBM MQ vulnerability from Eclipse Jetty on 24 June 2022

Trusted Spaces for Smart, Secure IBM MQ Administration.

Security is critical for your enterprise messaging and integration environment. Infrared360’s unique Trusted Spaces™ feature lets you keep users seeing and working only in the areas they should and promotes secure collaboration across departments, teams, locations, and partners. This powerful feature set allows or limits visibility to objects such as Queues, Topics, Consumers, Channels, Applications, Flows, and other integration-type server resources according to the “permissions” or “role” of  the user.  Trusted Spaces enables secure, smart, self-service IT administration to save you and your team effort and time that can be better utilized elsewhere.

Check out our website for more information on Trusted Spaces and how Infrared360 helps you identify IBM MQ Vulnerabilities sooner. Or, see how Parker Hannifin utilized Trusted Spaces to securely improve efficiencies across business units