IBM Support

Security Bulletin: IBM MQ can allow an attacker to execute a privilege escalation attack on a local machine. (CVE-2018-1792)

Security Bulletin


Summary

A problem within IBM MQ queue manager libraries could allow an attacker who has mqm login access to a server to use IBM MQ to escalate their privileges on that system and gain access to the root user.

Vulnerability Details

CVEID: CVE-2018-1792
DESCRIPTION: IBM MQ could allow a local user to inject code that could be executed with root privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/148947 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

IBM MQ V8

IBM MQ V8 versions 8.0.0.0 - 8.0.0.10

IBM MQ V9 LTS

IBM MQ V9 LTS versions 9.0.0.0 - 9.0.0.5

IBM MQ V9 CD

IBM MQ V9 CD versions 9.0.1 - 9.0.5

IBM MQ V9.1 LTS

IBM MQ V9.1 LTS versions 9.1.0.0

Remediation/Fixes

IBM MQ V8

Linux, Solaris, AIX Platforms: Apply interim fix for APAR IT26234

HP-UX Platform: Contact IBM MQ Support and request an interim fix for APAR IT26234

IBM MQ V9 LTS

Linux, Solaris, AIX Platforms: Apply interim fix for APAR IT26234

HP-UX Platform: Contact IBM MQ Support and request an interim fix for APAR IT26234

IBM MQ V9 CD

Upgrade to IBM MQ 9.1 and apply interim fix for APAR IT26234

IBM MQ V9.1 LTS

Upgrade to IBM MQ 9.1.0.1

Workarounds and Mitigations

Do not allow users to login to machines, running IBM MQ Servers, as the mqm user.

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Rich Mirch

Change History

October 2018: Initial Version Created.
November 2018: Removed Windows as affected platform, added AIX as an affected platform.
November 2018: Added link to 9.1.0.1 download.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM MQ

Component: Server

Software version: 8.0.0.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.0.6, 8.0.0.7, 8.0.0.8, 8.0.0.9, 8.0.0.10, 9.0.0.0, 9.0.0.1, 9.0.0.2, 9.0.0.3, 9.0.0.4, 9.0.0.5, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.1.0.0

Operating system(s): AIX, HP-UX, Linux, Solaris

Reference #: 0734447

Modified date: 23 November 2018


Translate this page: