Sicherheitsupdate für Django Web Framework

IBM middleware: Vulnerability in MQ could lead to privilege escalation

IBM warns of several vulnerabilities in the IBM MQ Operator and Queue Manager as well as the one provided container images. The errors originate in particular from the supplied third-party components.

Due to a lack of access control in the containerd of the base system, authenticated attackers from the network could start new processes with elevated privileges with carefully crafted requests (CVE-2020-15257, CVSS 9.8risk “critical“). In addition, a vulnerability for reading environment variables could be abused when containers use the containerd CRI service. This could be used to launch further attacks against affected systems (CVE-2021-21334, CVSS 7.5, high).

A vulnerability in Golang Go could bring down an affected system due to possible out-of-bounds memory accesses in the ImportedSymbols function in debug/macho. With prepared binary files, attackers from the network could trigger a denial of service (, CVSS 7.5, high). Attackers could also use another vulnerability in Golang Go to paralyze an instance. When processing ZIP archives, manipulated archive headers could lead to denial of service (CVE-2021-39293, CVSS 7.5, high).

The included IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 to 22.0.0.2 enabled clickjacking attacks. Attackers could have lured potential victims to a malicious website and triggered remote clicks from the web. This would also have allowed further attacks on victims (CVE-2021-39038, CVSS 4.4, medium).

The errors are in the versions IBM MQ Operator 2.0.0 CDwhich contains MQ Advanced 9.3.0.0 container images provided by IBM, IBM MQ Operator 1.3.5 EUS with MQ Advanced 9.2.0.5 container images provided by IBM as well IBM MQ Operator 2.0.0 LTS fixed with IBM MQ Operator Catalog Image as well as MQ Advanced v9.3.0.0 Queue Manager Container images provided by IBM.

IBM also has another security bulletin for the IBM Content Manager Enterprise Edition 8.6 updated. Although the Log4Shell vulnerability could be bypassed, it now says version 8.7 however, a bug-fixed version is available. IBM recommends installing the update now.

IBM has compiled more information about the vulnerabilities and the available updates in the security advisories:

Mainframe DevOps: BMC delivers industry-standard insights with DORA metrics Previous post Mainframe DevOps: BMC delivers industry-standard insights with DORA metrics
Amazon Prime Day: What's worth it for Apple users Next post Amazon Prime Day: What is and isn’t worthwhile for Apple users