Risk Level: High (7) based on the CVSS scale
Security Bulletin:
IBM MQ Appliance is vulnerable to XML External Entity (XXE) injection and server-side request forgery (CVE-2024-22354)
Determining vulnerable servers:
IBM MQ Appliance (9.3 LTS & 9.3 CD)
Expertise Connect/AVP Recommendation:
There are no workarounds.
Expertise Connect highly recommends applying APAR IT46058, available in the following Cumulative Security Updates & fix packs for IBM MQ Appliance:
For IBM MQ Appliance version 9.3 LTS, apply IBM MQ Appliance 9.3.0.20 fix pack or a later firmware version.
For IBM MQ Appliance version 9.3 CD, apply IBM MQ Appliance 9.3.5.2 cumulative security update or a later firmware version.
Note: Please refer to the above Security bulletin for more details on the CVS Score/Vectors, Affected Products and Versions, Workarounds and Mitigations, Remediation/Fixes, etc.
References:
Signup for Notifications
Complete CVSS v3 Guide
Online Calculator v3
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
https://www.ibm.com/support/pages/node/7157534
------------------------------
Sushree Satpathy
IBM
------------------------------