Hi All,

I would like to ask for some help because I'm stucked with to following vulnerability finding:

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.    - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.     (CVE-2023-2597)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It should be fixed in the APAR IJ47000: IJ47000: FIX SECURITY VULNERABILITY CVE-2023-2597

My problem is that I can not find anything what I can download and would fix this vulnerability issue.

I have currently running MQ wit the following version:

Name:        IBM MQ
Version:     9.1.0.16
Level:       p910-016-230602
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 3.10.0-1160.95.1.el7.x86_64
O/S Details: Red Hat Enterprise Linux
InstName:    Installation1
InstDesc:
Primary:     No
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 910
LicenseType: Production

It's alerting for the path:

/opt/mqm/java/jre64/ Installed version : 8.0.7.20 Fixed version : 8.0.8.5

openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

My questions are:
How to fix the issue?

Where can I find the fix for it?

Thank you!

Hi Erika,

I think you should consider upgrading the whole MQ installation as versions 9.1.0 LTS and 9.1.x CD have just reached EOS.

https://www.ibm.com/support/pages/announcement-end-support-ibm-mq-910-lts-and-ibm-mq-91x-cd#EOS1

Hi All,

I would like to ask for some help because I'm stucked with to following vulnerability finding:

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.    - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.     (CVE-2023-2597)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It should be fixed in the APAR IJ47000: IJ47000: FIX SECURITY VULNERABILITY CVE-2023-2597

My problem is that I can not find anything what I can download and would fix this vulnerability issue.

I have currently running MQ wit the following version:

Name:        IBM MQ
Version:     9.1.0.16
Level:       p910-016-230602
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 3.10.0-1160.95.1.el7.x86_64
O/S Details: Red Hat Enterprise Linux
InstName:    Installation1
InstDesc:
Primary:     No
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 910
LicenseType: Production

It's alerting for the path:

/opt/mqm/java/jre64/ Installed version : 8.0.7.20 Fixed version : 8.0.8.5

openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

My questions are:
How to fix the issue?

Where can I find the fix for it?

Thank you!

Thank you Hermanni,

for your advice. I know that the version is already EOS. Our platform is where MQ is running is also EOL and will be decommissioned early next year. I should find a solution for the remaining time. A major version upgrade is not anymore approved but we should keep the environment safe and handle vulnerability findings.

Regards,

Erika

Hi Erika,

I think you should consider upgrading the whole MQ installation as versions 9.1.0 LTS and 9.1.x CD have just reached EOS.

https://www.ibm.com/support/pages/announcement-end-support-ibm-mq-910-lts-and-ibm-mq-91x-cd#EOS1

Hi All,

I would like to ask for some help because I'm stucked with to following vulnerability finding:

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.    - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.     (CVE-2023-2597)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It should be fixed in the APAR IJ47000: IJ47000: FIX SECURITY VULNERABILITY CVE-2023-2597

My problem is that I can not find anything what I can download and would fix this vulnerability issue.

I have currently running MQ wit the following version:

Name:        IBM MQ
Version:     9.1.0.16
Level:       p910-016-230602
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 3.10.0-1160.95.1.el7.x86_64
O/S Details: Red Hat Enterprise Linux
InstName:    Installation1
InstDesc:
Primary:     No
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 910
LicenseType: Production

It's alerting for the path:

/opt/mqm/java/jre64/ Installed version : 8.0.7.20 Fixed version : 8.0.8.5

openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

My questions are:
How to fix the issue?

Where can I find the fix for it?

Thank you!

Hi Erika,

Here's a hack that I have used with success over the years but IBM would say it is not supported or recommended but since you are going to decommission the queue manager/server in a few months, then you should be fine.

First, find a release of IBM MQ 9.2. or 9.3 that has the JRE (Java) for Linux that has the fix already, then do the following:

• Tar then zip the /opt/mqm/java/ directory (assuming a default install) 
• Copy the zipped tarball to the old server with MQ 9.1
• Stop the queue manager(s) running 9.1 because MQTT & AMQP use the JRE
• Rename the directory /opt/mqm/java/ to /opt/mqm/java_orig/ 
• Unzip and un-tar the file to the /opt/mqm/java/ directory
• Test it to make sure everything is correct i.e. java -version
• Start up the queue manager(s)

Everything should be working and you have safely patched the issue.

later

Roger

Thank you Hermanni,

for your advice. I know that the version is already EOS. Our platform is where MQ is running is also EOL and will be decommissioned early next year. I should find a solution for the remaining time. A major version upgrade is not anymore approved but we should keep the environment safe and handle vulnerability findings.

Regards,

Erika

Hi Erika,

I think you should consider upgrading the whole MQ installation as versions 9.1.0 LTS and 9.1.x CD have just reached EOS.

https://www.ibm.com/support/pages/announcement-end-support-ibm-mq-910-lts-and-ibm-mq-91x-cd#EOS1

Hi All,

I would like to ask for some help because I'm stucked with to following vulnerability finding:

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.    - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.     (CVE-2023-2597)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It should be fixed in the APAR IJ47000: IJ47000: FIX SECURITY VULNERABILITY CVE-2023-2597

My problem is that I can not find anything what I can download and would fix this vulnerability issue.

I have currently running MQ wit the following version:

Name:        IBM MQ
Version:     9.1.0.16
Level:       p910-016-230602
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 3.10.0-1160.95.1.el7.x86_64
O/S Details: Red Hat Enterprise Linux
InstName:    Installation1
InstDesc:
Primary:     No
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 910
LicenseType: Production

It's alerting for the path:

/opt/mqm/java/jre64/ Installed version : 8.0.7.20 Fixed version : 8.0.8.5

openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

My questions are:
How to fix the issue?

Where can I find the fix for it?

Thank you!

Hi Erika,

The MQ Fix Pack 9.1.0.17 contains APAR IT44057. This APAR updates the IBM JRE to 8.0.8.6 on AIX, Windows, Linux. This later version of IBM JRE should include the fix for CVE-2023-2597.

See https://www.ibm.com/support/pages/fix-list-ibm-mq-version-91-lts and https://www.ibm.com/support/pages/apar/IT44057.

Hi Erika,

Here's a hack that I have used with success over the years but IBM would say it is not supported or recommended but since you are going to decommission the queue manager/server in a few months, then you should be fine.

First, find a release of IBM MQ 9.2. or 9.3 that has the JRE (Java) for Linux that has the fix already, then do the following:

• Tar then zip the /opt/mqm/java/ directory (assuming a default install) 
• Copy the zipped tarball to the old server with MQ 9.1
• Stop the queue manager(s) running 9.1 because MQTT & AMQP use the JRE
• Rename the directory /opt/mqm/java/ to /opt/mqm/java_orig/ 
• Unzip and un-tar the file to the /opt/mqm/java/ directory
• Test it to make sure everything is correct i.e. java -version
• Start up the queue manager(s)

Everything should be working and you have safely patched the issue.

later

Roger

Thank you Hermanni,

for your advice. I know that the version is already EOS. Our platform is where MQ is running is also EOL and will be decommissioned early next year. I should find a solution for the remaining time. A major version upgrade is not anymore approved but we should keep the environment safe and handle vulnerability findings.

Regards,

Erika

Hi Erika,

I think you should consider upgrading the whole MQ installation as versions 9.1.0 LTS and 9.1.x CD have just reached EOS.

https://www.ibm.com/support/pages/announcement-end-support-ibm-mq-910-lts-and-ibm-mq-91x-cd#EOS1

Hi All,

I would like to ask for some help because I'm stucked with to following vulnerability finding:

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.    - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.     (CVE-2023-2597)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It should be fixed in the APAR IJ47000: IJ47000: FIX SECURITY VULNERABILITY CVE-2023-2597

My problem is that I can not find anything what I can download and would fix this vulnerability issue.

I have currently running MQ wit the following version:

Name:        IBM MQ
Version:     9.1.0.16
Level:       p910-016-230602
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 3.10.0-1160.95.1.el7.x86_64
O/S Details: Red Hat Enterprise Linux
InstName:    Installation1
InstDesc:
Primary:     No
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 910
LicenseType: Production

It's alerting for the path:

/opt/mqm/java/jre64/ Installed version : 8.0.7.20 Fixed version : 8.0.8.5

openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

My questions are:
How to fix the issue?

Where can I find the fix for it?

Thank you!

Hi Erika,

Here's a hack that I have used with success over the years but IBM would say it is not supported or recommended but since you are going to decommission the queue manager/server in a few months, then you should be fine.

First, find a release of IBM MQ 9.2. or 9.3 that has the JRE (Java) for Linux that has the fix already, then do the following:

• Tar then zip the /opt/mqm/java/ directory (assuming a default install) 
• Copy the zipped tarball to the old server with MQ 9.1
• Stop the queue manager(s) running 9.1 because MQTT & AMQP use the JRE
• Rename the directory /opt/mqm/java/ to /opt/mqm/java_orig/ 
• Unzip and un-tar the file to the /opt/mqm/java/ directory
• Test it to make sure everything is correct i.e. java -version
• Start up the queue manager(s)

Everything should be working and you have safely patched the issue.

later

Roger

Thank you Hermanni,

for your advice. I know that the version is already EOS. Our platform is where MQ is running is also EOL and will be decommissioned early next year. I should find a solution for the remaining time. A major version upgrade is not anymore approved but we should keep the environment safe and handle vulnerability findings.

Regards,

Erika

Hi Erika,

I think you should consider upgrading the whole MQ installation as versions 9.1.0 LTS and 9.1.x CD have just reached EOS.

https://www.ibm.com/support/pages/announcement-end-support-ibm-mq-910-lts-and-ibm-mq-91x-cd#EOS1

Hi All,

I would like to ask for some help because I'm stucked with to following vulnerability finding:

The version of IBM Java installed on the remote host is prior to 7.1 < 7.1.5.18 / 8.0 < 8.0.8.5. It is, therefore, affected by a vulnerability as referenced in the IBM Security Update June 2023 advisory.    - In Eclipse Openj9 before version 0.38.0, in the implementation of the shared cache (which is enabled by     default in OpenJ9 builds) the size of a string is not properly checked against the size of the buffer.     (CVE-2023-2597)  Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It should be fixed in the APAR IJ47000: IJ47000: FIX SECURITY VULNERABILITY CVE-2023-2597

My problem is that I can not find anything what I can download and would fix this vulnerability issue.

I have currently running MQ wit the following version:

Name:        IBM MQ
Version:     9.1.0.16
Level:       p910-016-230602
BuildType:   IKAP - (Production)
Platform:    IBM MQ for Linux (x86-64 platform)
Mode:        64-bit
O/S:         Linux 3.10.0-1160.95.1.el7.x86_64
O/S Details: Red Hat Enterprise Linux
InstName:    Installation1
InstDesc:
Primary:     No
InstPath:    /opt/mqm
DataPath:    /var/mqm
MaxCmdLevel: 910
LicenseType: Production

It's alerting for the path:

/opt/mqm/java/jre64/ Installed version : 8.0.7.20 Fixed version : 8.0.8.5

openjdk version "1.8.0_382"
OpenJDK Runtime Environment (build 1.8.0_382-b05)
OpenJDK 64-Bit Server VM (build 25.382-b05, mixed mode)

My questions are:
How to fix the issue?

Where can I find the fix for it?

Thank you!