IBM middleware: Vulnerability in MQ could lead to privilege escalation

IBM warns of several vulnerabilities in the IBM MQ Operator and Queue Manager as well as the one provided container images. The errors originate in particular from the supplied third-party components.

Multiple gaps

Due to a lack of access control in the containerd of the base system, authenticated attackers from the network could start new processes with elevated privileges with carefully crafted requests (CVE-2020-15257, CVSS 9.8risk “critical“). In addition, a vulnerability for reading environment variables could be abused when containers use the containerd CRI service. This could be used to launch further attacks against affected systems (CVE-2021-21334, CVSS 7.5, high).

A vulnerability in Golang Go could bring down an affected system due to possible out-of-bounds memory accesses in the ImportedSymbols function in debug/macho. With prepared binary files, attackers from the network could trigger a denial of service (, CVSS 7.5, high). Attackers could also use another vulnerability in Golang Go to paralyze an instance. When processing ZIP archives, manipulated archive headers could lead to denial of service (CVE-2021-39293, CVSS 7.5, high).

The included IBM WebSphere Application Server 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 to 22.0.0.2 enabled clickjacking attacks. Attackers could have lured potential victims to a malicious website and triggered remote clicks from the web. This would also have allowed further attacks on victims (CVE-2021-39038, CVSS 4.4, medium).

The errors are in the versions IBM MQ Operator 2.0.0 CDwhich contains MQ Advanced 9.3.0.0 container images provided by IBM, IBM MQ Operator 1.3.5 EUS with MQ Advanced 9.2.0.5 container images provided by IBM as well IBM MQ Operator 2.0.0 LTS fixed with IBM MQ Operator Catalog Image as well as MQ Advanced v9.3.0.0 Queue Manager Container images provided by IBM.

Fix for Apache log4j

IBM also has another security bulletin for the IBM Content Manager Enterprise Edition 8.6 updated. Although the Log4Shell vulnerability could be bypassed, it now says version 8.7 however, a bug-fixed version is available. IBM recommends installing the update now.

IBM has compiled more information about the vulnerabilities and the available updates in the security advisories:

Source code editor Visual Studio Code gets the Copilot Chat ready to go

Data integration: Apache Hop 2.4 supports DuckDB and scripting in ECMAScript

2022 was supposed to be the year of the Metaverse. Something went wrong?

Rating of the best mobile phones of 2022. 10 nominations in different categories

Hamburg District Court: Uberspace may no longer host Youtube-DL

Test drive Citroen C5 Aircross Hybrid: a look into the future

SAMP / T air defense system: Mamba is waiting for Russians under the Christmas tree

Logos as phishing antidotes in e-mails: Apple goes along with BIMI

Rating of the best laptops in 2022. 10 nominations in different categories

IBM middleware: Vulnerability in MQ could lead to privilege escalation

Multiple gaps

Fix for Apache log4j