Message Image

Sign In

Skip to main content (Press Enter).

Skip auxiliary navigation (Press Enter).

IBM Integration Community

Come for answers, stay for best practices. All we're missing is you.

Join us for IBM TechXchange Day: AI and Automation

Skip main navigation (Press Enter).

MQ

View Only

Expand all | Collapse all

Security Bulletin: IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354)

1. Security Bulletin: IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354)

0 Like
Sushree Satpathy
Posted 5 days ago

Reply
Risk Level: High (7) based on the CVSS scale

Security Bulletin:

IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354)

Determining vulnerable servers:

IBM MQ Appliance (9.3 LTS & 9.3 CD)

Expertise Connect/AVP Recommendation:

There are no workarounds.

Expertise Connect highly recommends applying APAR IT46058, available in the following Cumulative Security Updates & fix packs for IBM MQ Appliance:

For IBM MQ Appliance version 9.3 LTS, apply IBM MQ Appliance 9.3.0.20 fix pack or a later firmware version.

For IBM MQ Appliance version 9.3 CD, apply IBM MQ Appliance 9.3.5.2 cumulative security update or a later firmware version.

Note: Please refer to the above Security bulletin for more details on the CVS Score/Vectors, Affected Products and Versions, Workarounds and Mitigations, Remediation/Fixes, etc.

References:

Signup for Notifications
Complete CVSS v3 Guide
Online Calculator v3
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

https://www.ibm.com/support/pages/node/7157534

------------------------------
Sushree Satpathy
IBM
------------------------------

Powered by Higher Logic