IBM MQ Operator and Queue Manager Container Images Improper Certificate Validation Vulnerability in Internet Pass-Thru

A vulnerability exists in IBM MQ Operator LTS versions 2.0.0 to 2.0.29, MQ Operator CD versions 3.0.0, 3.0.1, 3.1.0 to 3.1.3, 3.3.0, 3.4.0, 3.4.1, 3.5.0, 3.5.1, 3.6.0, and MQ Operator SC2 versions 3.2.0 to 3.2.13. The issue arises from improper validation of TLS certificates in the Internet Pass-Thru feature, which could allow a malicious user to intercept and obtain sensitive information from another TLS session connected to the same hostname and port.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information from a TLS session, potentially allowing for interception and misuse of that data.

Remediation

Users are advised to update to IBM MQ Operator v3.6.1 for CD or v3.2.14 for SC2. Additionally, IBM MQ Container users should update to version 9.4.3.0-r2. Instructions for accessing these versions are available on the IBM Support website.