IBM Product Security Update Advisory
Overview
An update has been released to address vulnerabilities in IBM Products. Users of the affected versions are advised to update to the latest version.
Affected Products
CVE-2024-40681
- IBM MQ Operator version: 2.0.26
- IBM MQ Operator version: 3.2.4
CVE-2024-45076, CVE-2024-45075
- IBM webMethods Integration version: 10.15
Resolved Vulnerabilities
Vulnerability that allows authenticated users in a specially defined role to bypass security restrictions and execute actions against the Queue Manager (CVE-2024-40681)
Vulnerability that allows an authenticated user to upload and execute arbitrary files that are executable on the underlying operating system (CVE-2024-45076)
Vulnerability that could allow an unauthenticated user to create a scheduler task and elevate to administrator privileges (CVE-2024-45075)
Vulnerability Patches
The following product-specific Vulnerability Patches have been made available with the latest update. If you are using an affected version, Please follow the instructions on the Referenced Sites to update to the latest Vulnerability Patches version.
CVE-2024-40681
- Updated based on the “Remediation/Fixes” section of the references [1]
CVE-2024-45076, CVE-2024-45075
- Updated based on the “Remediation/Fixes” section of the references [2]
References
[1] Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to denial of service, privilege escalation and kerberos 5
https://www.ibm.com/support/pages/node/7167732
[2] Security Bulletin: Multiple vulnerabilities in IBM webMethods Integration