Security Bulletin: Multiple IBM MQ Security Vulnerabilities Affect IBM Sterling B2B Integrator

CVEID:   CVE-2019-4039 DESCRIPTION:   IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local attacker to cause a denial of service within the error log reporting system. IBM X-Force ID: 156163.CVSS Base score: 6.2CVSS Temporal Score: See: https://ift.tt/2XM3GZB for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4055 DESCRIPTION:   IBM MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, and 9.1.0.0 through 9.1.1 is vulnerable to a denial of service attack within the TLS key renegotiation function. IBM X-Force ID: 156564.CVSS Base score: 7.5CVSS Temporal Score: See: https://ift.tt/2XKCxGs for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4078 DESCRIPTION:   IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local non privileged user to execute code as an administrator due to incorrect permissions set on MQ installation directories. IBM X-Force ID: 157190.CVSS Base score: 7.4CVSS Temporal Score: See: https://ift.tt/34mBgrB for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID:   CVE-2018-1925 DESCRIPTION:   IBM WebShere MQ 9.1.0.0, 9.1.0.1, 9.1.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 152925.CVSS Base score: 5.9CVSS Temporal Score: See: https://ift.tt/2KT5pqZ for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID:   CVE-2019-4239 DESCRIPTION:   IBM MQ Advanced Cloud Pak (IBM Cloud Private 1.0.0 through 3.0.1) stores user credentials in plain in clear text which can be read by a local user. IBM X-Force ID: 159465.CVSS Base score: 6.2CVSS Temporal Score: See: https://ift.tt/2OhE57P for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVEID:   CVE-2019-4078 DESCRIPTION:   IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local non privileged user to execute code as an administrator due to incorrect permissions set on MQ installation directories. IBM X-Force ID: 157190.CVSS Base score: 7.4CVSS Temporal Score: See: https://ift.tt/34mBgrB for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID:   CVE-2018-1998 DESCRIPTION:   IBM WebSphere MQ 8.0.0.0 through 9.1.1 could allow a local user to inject code that could be executed with root privileges. This is due to an incomplete fix for CVE-2018-1792. IBM X-ForceID: 154887.CVSS Base score: 8.8CVSS Temporal Score: See: https://ift.tt/35DEBCP for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVEID:   CVE-2019-4039 DESCRIPTION:   IBM WebSphere MQ 8.0.0.0 through 8.0.0.9 and 9.0.0.0 through 9.1.1 could allow a local attacker to cause a denial of service within the error log reporting system. IBM X-Force ID: 156163.CVSS Base score: 6.2CVSS Temporal Score: See: https://ift.tt/2XM3GZB for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2018-1974 DESCRIPTION:   IBM WebSphere 8.0.0.0 through 9.1.1 could allow an authenticated attacker to escalate their privileges when using multiplexed channels. IBM X-Force ID: 153915.CVSS Base score: 7.5CVSS Temporal Score: See: https://ift.tt/2rpcZ5T for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVEID:   CVE-2018-1792 DESCRIPTION:   IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947.CVSS Base score: 8.8CVSS Temporal Score: See: https://ift.tt/2qKHyTw for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVEID:   CVE-2017-1786 DESCRIPTION:   IBM WebSphere MQ 8.0 through 8.0.0.8 and 9.0 through 9.0.4 under special circumstances could allow an authenticated user to consume all resources due to a memory leak resulting in service loss. IBM X-Force ID: 136975.CVSS Base score: 5.3CVSS Temporal Score: See: https://ift.tt/2pQyr3f for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2018-1684 DESCRIPTION:   IBM WebSphere MQ 8.0 through 9.1 is vulnerable to a error with MQTT topic string publishing that can cause a denial of service attack. IBM X-Force ID: 145456.CVSS Base score: 5.3CVSS Temporal Score: See: https://ift.tt/37EYH1k for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H) CVEID:   CVE-2019-4261 DESCRIPTION:   IBM WebSphere MQ V7.1, 7.5, IBM MQ V8, IBM MQ V9.0LTS, IBM MQ V9.1 LTS, and IBM MQ V9.1 CD are vulnerable to a denial of service attack caused by specially crafted messages. IBM X-Force ID: 160013.CVSS Base score: 4.3CVSS Temporal Score: See: https://ift.tt/2rt9lIg for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L) ...read more

from IBM Product Security Incident Response Team https://ift.tt/2OI4evv