Information disclosure through timing discrepancy in IBM MQ

#VU12569 Information disclosure through timing discrepancy in IBM MQ

Published: 2018-05-10 | Updated: 2018-05-14

Vulnerability identifier: #VU12569

Vulnerability risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1388

CWE-ID: CWE-208

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
IBM MQ
Server applications / Other server solutions

Vendor: IBM Corporation

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to disclosure of side channel information via discrepancies between valid and invalid PKCS#1 padding. A remote attacker can gain access to potentially sensitive information.

Mitigation
Install update from vendor's website.

Vulnerable software versions

IBM MQ: 7.0.1 - 7.0.1.14

External links
http://www-01.ibm.com/support/docview.wss?uid=swg22013022

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Tivoli Directory

Information disclosure in IBM MQ