Free Trial

IBM MQ is vulnerable to a denial of service attack

Overview :
A vulnerability was found in the clustering code that caused a memory leak. This could be exploited by an attacker to execute a denial of service attack against a queue manager.
Affected Product(s) :
 

  • IBM WebSphere MQ V7.1
    versions 7.1.0.0 – 7.1.0.9
    IBM WepSphere MQ V7.5
    versions 7.5.0.0 – 7.5.0.9
    IBM MQ and IBM MQ Appliance V8
    versions 8.0.0.0 – 8.0.0.11
    IBM MQ V9 LTS
    versions 9.0.0.0 – 9.0.0.6
    IBM MQ and IBM MQ Appliance v9.1 LTS
    versions 9.1.0.0 – 9.1.0.2
    IBM MQ and IBM MQ Appliance v9.1 CD
    versions 9.1.1 – 9.1.2
Vulnerability Details :
CVE ID : CVE-2019-4141
IBM MQ is vulnerable to a denial of service attack caused by a memory leak in the clustering code.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/158337 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Solution :

    • IBM WebSphere MQ V7.1
      Contact IBM Support requesting a fix for APAR IT27859
      IBM WepSphere MQ V7.5
      Contact IBM Support requesting a fix for APAR IT27859
      IBM MQ and IBM MQ Appliance V8
      IBM MQ V9 LTS
      IBM MQ and IBM MQ Appliance V9.1 LTS
      IBM MQ and IBM MQ Appliance V9.1 CD
      Upgrade to IBM MQ 9.1.3

Common Vulnerabilityies and Exposures

Contact us to get started

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

CVE-2024-20418 : CISCO IOS XE CONTROLLER WEB-BASED MANAGEMENT INTERFACE COMMAND INJECTION

Description A vulnerability in the web-based management interface of Cisco Unified Industrial Wireless Software for Cisco Ultra-Reliable Wireless Backhaul (URWB)

Learn more
CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

CVE-2024-20536 : CISCO DATA CENTER NETWORK MANAGER 12.1.2E/12.1.2P/12.1.3B WEB-BASED MANAGEMENT INTERFACE/REST API ENDPOINT SQL INJECTION

Description A vulnerability in a REST API endpoint and web-based management interface of Cisco Nexus Dashboard Fabric Controller (NDFC) could

Learn more
CVE-2024-50340 : SYMFONY INJECTION

CVE-2024-50340 : SYMFONY INJECTION

Description symfony/runtime is a module for the Symphony PHP framework which enables decoupling PHP applications from global state. When the

Learn more