"IBM Patches Severe Vulnerabilities in MQ Messaging Middleware"

IBM recently announced patches for high-severity vulnerabilities in IBM MQ, warning that attackers could exploit them to bypass security restrictions or access sensitive information.  Messaging and queuing middleware, IBM MQ provides enterprise-grade messaging between applications, enabling the transfer of data between programs and the sending of messages to multiple subscribers.  Two security issues were resolved in IBM MQ, both residing within the libcurl library.  IBM noted that both flaws can be exploited remotely.  Tracked as CVE-2022-27780, the first of these bugs could allow an attacker to bypass security restrictions using a specially crafted host name in a URL.  The second vulnerability, CVE-2022-30115, exists because of an HSTS check bypass flaw and could be exploited to obtain sensitive information over clear-text HTTP.  IBM MQ versions 9.2 LTS, 9.1 LTS, 9.0 LTS, 9.2 CD, and 9.1 CD were vulnerable.  Both vulnerabilities were addressed under APAR IT40933.

SecurityWeek reports: "IBM Patches Severe Vulnerabilities in MQ Messaging Middleware"