IBM middleware: Vulnerability in MQ could lead to privilege escalation
IBM warns of several vulnerabilities in the IBM MQ Operator and Queue Manager as well as the one provided container images. The errors originate in particular from the supplied third-party components.
Due to a lack of access control in the containerd of the base system, authenticated attackers from the network could start new processes with elevated privileges with carefully crafted requests (CVE-2020-15257, CVSS 9.8risk “critical“). In addition, a vulnerability for reading environment variables could be abused when containers use the containerd CRI service. This could be used to launch further attacks against affected systems (CVE-2021-21334, CVSS 7.5, high).
A vulnerability in Golang Go could bring down an affected system due to possible out-of-bounds memory accesses in the ImportedSymbols function in debug/macho. With prepared binary files, attackers from the network could trigger a denial of service (, CVSS 7.5, high). Attackers could also use another vulnerability in Golang Go to paralyze an instance. When processing ZIP archives, manipulated archive headers could lead to denial of service (CVE-2021-39293, CVSS 7.5, high).
The included IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 126.96.36.199 to 188.8.131.52 enabled clickjacking attacks. Attackers could have lured potential victims to a malicious website and triggered remote clicks from the web. This would also have allowed further attacks on victims (CVE-2021-39038, CVSS 4.4, medium).
The errors are in the versions IBM MQ Operator 2.0.0 CDwhich contains MQ Advanced 184.108.40.206 container images provided by IBM, IBM MQ Operator 1.3.5 EUS with MQ Advanced 220.127.116.11 container images provided by IBM as well IBM MQ Operator 2.0.0 LTS fixed with IBM MQ Operator Catalog Image as well as MQ Advanced v18.104.22.168 Queue Manager Container images provided by IBM.
Fix for Apache log4j
IBM also has another security bulletin for the IBM Content Manager Enterprise Edition 8.6 updated. Although the Log4Shell vulnerability could be bypassed, it now says version 8.7 however, a bug-fixed version is available. IBM recommends installing the update now.
IBM has compiled more information about the vulnerabilities and the available updates in the security advisories: