Multiple vulnerabilities in IBM WebSphere MQ

Published: 2017-11-08 12:01:34 | Updated: 2017-11-08 12:14:01
Severity High
Patch available YES
Number of vulnerabilities 6
CVSSv2 6.9 (AV:N/AC:M/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
3.7 (AV:N/AC:L/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
3.2 (AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 8.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
4.9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE ID CVE-2017-3511
CVE-2017-3533
CVE-2016-9840
CVE-2016-9841
CVE-2016-9842
CVE-2016-9843
CWE ID CWE-125
Exploitation vector Network
Public exploit Not available
Vulnerable software IBM WebSphere MQ
Vulnerable software versions IBM WebSphere MQ 8.0.0.6
IBM WebSphere MQ 8.0.0.5
IBM WebSphere MQ 7.5.0.7
Show more
Vendor URL IBM Corporation
Advisory type Public

Security Advisory

1) Remote code execution

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit JCE component. A remote attacker can trick the victim into visiting a specially crafted webpage and execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22005123&myns=swgws&mynp=OCSSYHRD&mync=E&cm_sp=swgws-_-OCSSYHRD-_-E

2) Security restrictions bypass

Description

The vulnerability allows a remote attacker to modify information on the target system.

The weakness exists due to unknown error related to the Java SE, Java SE Embedded, JRockit Networking component. A remote attacker can access and modify arbitrary data.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22005123&myns=swgws&mynp=OCSSYHRD&mync=E&cm_sp=swgws-_-OCSSYHRD-_-E

3) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22005123&myns=swgws&mynp=OCSSYHRD&mync=E&cm_sp=swgws-_-OCSSYHRD-_-E

4) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to out-of-bounds pointer arithmetic in inftrees.c. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22005123&myns=swgws&mynp=OCSSYHRD&mync=E&cm_sp=swgws-_-OCSSYHRD-_-E

5) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to an undefined left shift of negative number. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22005123&myns=swgws&mynp=OCSSYHRD&mync=E&cm_sp=swgws-_-OCSSYHRD-_-E

6) Denial of service

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in zlib due to big-endian out-of-bounds pointer. A remote attacker can send a specially crafted document, trick the victim into opening it, and cause the application to crash.

Successful exploitation of the vulnerability results in denial of service.

Remediation

Install update from vendor's website.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22005123&myns=swgws&mynp=OCSSYHRD&mync=E&cm_sp=swgws-_-OCSSYHRD-_-E

Back to List