Two vulnerabilities in the IBM product WebSphere MQ
Danger level: Low
Availability Corrections: Yes
Quantity of vulnerabilities: 2
(AV: A / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 5.8 / Temporal: 4.3
(AV: L / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: O / RC: C) = Base: 2.1 / Temporal: 1.6
CVE ID: CVE-2014-6116; CVE-2014-4822
Vector of operation: Local Network
Impact: Security Bypass (CVE-2014-6116), Disclosure of sensitive data (CVE-2014-4822)
Affected Products: IBM WebSphere MQ 7.x , IBM WebSphere MQ 8.x
1. [CVE-2014-6116] IBM WebSphere MQ version to 24th September 2014 (Level: p000-001-L140910)
2. [CVE-2014-4822] 8 IBM WebSphere MQ-based WebSphere MQ classes for Java libraries version 8,
8 IBM WebSphere MQ-based WebSphere MQ Explorer versions prior to 184.108.40.206,
IBM WebSphere MQ 7.5 based on WebSphere MQ Explorer versions prior to 220.127.116.11
1. [CVE-2014-6116] This vulnerability could allow a remote user to bypass certain security restrictions.
The vulnerability is due to the fact that the application properly authenticates users when the settings have JAASConfig. This can be exploited using MQTT client to bypass the authentication mechanism.
2. [CVE-2014-4822] The vulnerability could allow a local user to gain access to sensitive data.
The vulnerability is caused due to an unspecified error. A local user may obtain certain passwords in an unencrypted form.
Solution: Install the latest version from the manufacturer’s website.