MQ

MQ

Join this online group to communicate across IBM product users and experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Security Bulletin: IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354)

  • 1.  Security Bulletin: IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354)

    Posted Thu June 27, 2024 12:59 PM

    Risk Level:  High (7) based on the CVSS scale     


    Security Bulletin:

    IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354) 

    Determining vulnerable servers:

    IBM MQ Appliance (9.3 LTS & 9.3 CD)

    Expertise Connect/AVP Recommendation:

    There are no workarounds. 

    Expertise Connect highly recommends applying APAR IT46058, available in the following Cumulative Security Updates & fix packs for IBM MQ Appliance:

    For IBM MQ Appliance version 9.3 LTS, apply IBM MQ Appliance 9.3.0.20 fix pack or a later firmware version.

    For IBM MQ Appliance version 9.3 CD, apply IBM MQ Appliance 9.3.5.2 cumulative security update or a later firmware version.

    Note: Please refer to the above Security bulletin for more details on the CVS Score/Vectors, Affected Products and Versions, Workarounds and Mitigations, Remediation/Fixes, etc.

    References:

    Signup for Notifications
    Complete CVSS v3 Guide
    Online Calculator v3
    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog

    https://www.ibm.com/support/pages/node/7157534



    ------------------------------
    Sushree Satpathy
    IBM
    ------------------------------


Related Content