Security Bulletin: IBM MQ Cloud Paks are vulnerable to multiple vulnerabilities in Perl (CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18311)

Security Bulletin

Summary

Several vulnerabilities were identified with versions of perl which are included in IBM MQ Cloud Paks.

Vulnerability Details

CVEID: CVE-2018-18312
DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by a flaw in the S_regatom function in regcomp.c. By using a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/153587 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-18313
DESCRIPTION: Perl could allow a remote attacker to obtain sensitive information, caused by a heap-based buffer overflow in the S_grok_bslash_N function in regcomp.c. By using a specially-crafted regular expression, a remote attacker could exploit this vulnerability to obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/153588 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-18314
DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by a flaw in the S_regatom function in regcomp.c. By using a specially-crafted regular expression, a remote attacker could overflow a buffer and execute arbitrary code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/153589 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-18311
DESCRIPTION: Perl is vulnerable to a heap-based buffer overflow, caused by an integer overflow in the Perl_my_setenv function. By sending a specially-crafted request, a local attacker could overflow a buffer and execute arbitrary code or cause a denial of service condition.
CVSS Base Score: 8.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/153586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM MQ CloudPak for IBM Cloud Private

v1.0.0 - v2.2.0

Remediation/Fixes

IBM MQ CloudPak for IBM Cloud Private v1.0.0 - v.2.2.0

Apply fix pack IBM-MQ-Adv-Cloud-Pak-2.2.1 to upgrade to version 2.2.1

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Support for IBM MQ CloudPak versions

The support lifecycle for IBM MQ CloudPaks is tied directly to the support lifecycle of the IBM MQ version that runs within the CloudPak. When the underlying MQ version goes out of support then the CloudPak will automatically go out of support. IBM MQ CloudPaks are only available with Continous Delivery versions of IBM MQ and so follow the IBM MQ Continuous Delivery support lifecycle .

The version number for the CloudPak provides an indication to customers on what kind of change has been made between different versions. The versioning system used in CloudPaks is the semver versioning system and does not correlate directly to the V.R.M.F version used by IBM MQ.

For reference the table below shows which versions of IBM MQ are available with which version of CloudPak, this can be used to determine whether the version of CloudPak you are using is still in support:

IBM MQ CloudPak and IBM MQ versions
IBM MQ Version	IBM MQ CloudPak for IBM Cloud Private Version	IBM MQ CloudPak for IBM Cloud Private on RedHat OpenShift Version
9.1.1	2.2.0 - 2.2.1	2.2.0 - 2.2.1
9.1.0	2.0.0 -2.1.0	2.1.0
9.0.5	1.3.0	N/A
9.0.4	1.2.0 - 1.2.2	N/A
9.0.3	1.0.0 - 1.1.0	N/A

Change History

30 January 2019: Original Version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Product Record: 127286

Advisory: 14254

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFE2G","label":"IBM MQ certified container software"},"Component":"all","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.0.0 - 2.2.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

Security Bulletin: IBM MQ Cloud Paks are vulnerable to multiple vulnerabilities in Perl (CVE-2018-18312 CVE-2018-18313 CVE-2018-18314 CVE-2018-18311)