Middleware: IBM plugs security gaps in MQ
There were security gaps in IBM’s MQ middleware. Attackers could have obtained unauthorized information or bypassed URL filters.
Security gaps in IBM’s MQ middleware could have enabled attackers to spy out information without authorization and use it to carry out further attacks or circumvent URL filters. The manufacturer provides updates to seal the security leaks. The MQ middleware is used, among other things, to enable the exchange of messages between different systems (message queue, MQ).
Three high-risk vulnerabilities in IBM MQ
The IBM MQ Explorer performs insufficient validation of submitted XML data. An attacker could thereby obtain sensitive data or consume memory resources. The attack is called XML External Entity Injection (XXE) (CVE-2022-22489, CVSS 8.2risk “high“). According to IBM’s security notification, the error can be found in IBM MQ 8.0, 9.0 LTS, 9.1 CD, 9.1 LTS, 9.2 CD and 9.2 LTS. The manufacturer also links the updated software in it.
The supplied libcurl library opens up further vulnerabilities. IBM MQ Server and non-Java Client installations rely on their HTTPURL facility to download the removed CCDT files. Attackers could bypass security because cURL libcurl incorrectly accepts percent-encoded URL delimiters such as ‘/’. With a carefully crafted hostname in the URL, an attacker could bypass URL filters (CVE-2022-27780, CVSS 7.5, high).
In addition, attackers could end up with sensitive information, since a so-called HSTS check can be bypassed in libcurl. HTTP Stricks Ttransport Security checks are designed to prevent man-in-the-middle attacks. With a manipulated hostname with a trailing dot in the URL, malicious actors could abuse the vulnerability to obtain information via plaintext HTTP and use it to launch further attacks against affected systems (CVE-2022-30115, CVSS 7.5, high).
The libcurl bugs are found in IBM MQ 9.0 LTS, 9.1 CD, 9.1 LTS, 9.2 CD and 9.2 LTS. IBM provides links to software patches in the Security Advisory.
Since IBM classifies the vulnerabilities as high risk, administrators of the MQ middleware should schedule a maintenance window very quickly to download and install the updates. This significantly reduces the attack surface for cybercriminals. Third-party components are more often a problem in IBM’s MQ. About six weeks ago, updates for the middleware were already necessary because attackers could have increased their rights through security gaps in it.
