SB2022082326 - Multiple vulnerabilities in IBM MQ
Published: August 23, 2022
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Input validation error (CVE-ID: CVE-2022-27780)
The vulnerability allows a remote attacker to bypass filters and checks.
The vulnerability exists due to the curl URL parser wrongly accepts percent-encoded URL separators like '/' when decoding the host name part of a URL, making it a different URL using the wrong host name when it is later retrieved. For example, the URL like http://example.com%2F10.0.0.1/, would be allowed by the parser and get transposed into http://example.com/10.0.0.1/.
A remote attacker can bypass various internal filters and checks and force the curl to connect to a wrong web application.
2) Cleartext transmission of sensitive information (CVE-ID: CVE-2022-30115)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to an error in HSTS implementation that can allow curl to continue using HTTP protocol instead of HTTPS if the host name in the given URL used a trailing dot while not using one when it built the HSTS cache. A remote attacker with ability to intercept traffic can obtain potentially sensitive information.
Remediation
Install update from vendor's website.
References
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-issues-with-libcurl-cve-2022-27780-cve-2022-30115/"
- https://www.ibm.com/blogs/psirt/security-bulletin-ibm-mq-is-vulnerable-to-issues-with-libcurl-cve-2022-27780-cve-2022-30115/</a></p><p>
- https://www.ibm.com/support/pages/node/6614533</p><p><br></p>