Denial of service in IBM MQ

Published: 2017-12-22 16:25:13
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 3 (AV:N/AC:L/Au:S/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 3.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE ID CVE-2017-1557
CWE ID CWE-20
Exploitation vector Network
Public exploit Not available
Vulnerable software IBM MQ
Vulnerable software versions IBM MQ 8.0.0.7
IBM MQ 8.0.0.6
IBM MQ 8.0.0.5
Show more
Vendor URL IBM Corporation
Advisory type Public

Security Advisory

1) Denial of service

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker with authority to connect to a remote queue manager can send a malicious request, cause undefined behaviour within the channel process servicing that connection, including a loss of service for other connections being serviced by the same channel process.

Successful exploitation of the vulnerability may result in denial of service.

Remediation

Update to version 8.0.0.8, 9.0.0.2, 9.0.4.

External links

http://www-01.ibm.com/support/docview.wss?uid=swg22004378&myns=swgws&mynp=OCSSYHRD&a...

Back to List