IBM Family (IBM i, IBM MQ, IBM WebSphere Application Server) Security Update Recommendations

Jul 10 2024

Overview

An update has been released to address vulnerabilities in IBM products. Users of the affected versions are advised to update to the latest version.

Affected Products

CVE-2024-39742

IBM MQ Operator versions: 3.22, 2.0.24

CVE-2024-31912

IBM MQ LTS version: 9.3
IBM MQ CD version: 9.3

CVE-2024-38330

IBM System Management i versions: 7.2, 7.3, 7.4

CVE-2024-35154

IBM WebSphere Application Server version: 8.5
IBM WebSphere Application Server version: 9.0

Resolved Vulnerabilities

A substring comparison vulnerability could allow users to bypass authentication in certain configurations (CVE-2024-39742)

Vulnerability that could allow an authenticated user to escalate privileges in certain configurations due to incorrect privilege assignment (CVE-2024-31912)

Vulnerability that could allow a local user to gain elevated privileges due to an unqualified library program call (CVE-2024-38330)

Vulnerability that could allow a remote authentication attacker with access to the management console to execute arbitrary code (CVE-2024-35154)

Vulnerability Patches

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.

CVE-2024-39742

Updated based on “Remediation/Fixes” from Referenced Sites[2]

CVE-2024-31912

IBM MQ LTS version: 9.3.0.20
IBM MQ CD version: 9.4

CVE-2024-38330

Updated based on “Remediation/Fixes” from Referenced Sites[6]

CVE-2024-35154

Update based on “Remediation/Fixes” in Referenced Sites[8]

Referenced Sites

[1] CVE-2024-39742 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-39742

[2] Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to packages included in IBM WebSphere Application Server, Bouncy Castle Crypto Package For Java, k8.io, IBM Java and also memory leak, password handling cases

https://www.ibm.com/support/pages/node/7159714

[3] CVE-2024-31912 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-31912

[4] Security Bulletin: IBM MQ is vulnerable to a privilege escalation attack (CVE-2024-31912)

https://www.ibm.com/support/pages/security-bulletin-ibm-mq-vulnerable-privilege-escalation-attack-cve-2024-31912

[5] CVE-2024-38330 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-38330

[6] Security Bulletin: IBM Managed System Services for i and IBM System Management for i are vulnerable to a local user gaining elevated privilege due to unqualified library calls [CVE-2024-38330]

https://www.ibm.com/support/pages/node/7159615

[7] CVE-2024-35154 Detail

https://nvd.nist.gov/vuln/detail/CVE-2024-35154

[8] Security Bulletin: IBM WebSphere Application Server is vulnerable to remote code execution (CVE-2024-35154)

https://www.ibm.com/support/pages/node/7159825

IBM Family (IBM i, IBM MQ, IBM WebSphere Application Server) Security Update Recommendations

Apache HTTP Server Security Update Advisory (CVE-2024-39884)

WhatsUp Gold product security update advisory

Tags:

Apache HTTP Server Security Update Advisory (CVE-2024-39884)

WhatsUp Gold product security update advisory