CVE-2024-35156: IBM MQ information disclosure

Q: What is the severity of CVE-2024-35156?

CVE-2024-35156 has moderate severity as it could allow a remote attacker to access sensitive information through detailed error messages.

Q: How do I fix CVE-2024-35156?

To mitigate CVE-2024-35156, ensure that error messages do not reveal sensitive information by properly configuring the error handling in IBM MQ.

Q: Which versions of IBM MQ are affected by CVE-2024-35156?

CVE-2024-35156 affects IBM MQ versions up to 9.3.0.20 for LTS and up to 9.4.0.0 for Continuous Delivery.

Q: Can CVE-2024-35156 be exploited remotely?

Yes, CVE-2024-35156 can be exploited remotely as it involves the exposure of sensitive information through error messages in a browser.

Q: What should I monitor for with CVE-2024-35156?

Monitor for unauthorized access attempts and unusual behavior that may exploit the vulnerabilities related to error messages in IBM MQ.

Published Jun 1, 2024

Updated

IBM MQ 9.3 LTS and 9.3 CD could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system. IBM X-Force ID: 292766.

Other sources

IBM MQ could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

— IBM

Affected Software

4 affected components

IBM MQ Operator<=SC2 (formerly LTS): v3.2.0, v3.2.1CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3 LTS: v2.0.0 - 2.0.23 Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2

IBM supplied MQ Advanced container images<=CD: 9.4.0.0-r1, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3 Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2

IBM MQ>=9.3.0.0<9.3.0.20

IBM MQ>=9.3.0.0<9.4.0.0

Event History

Jun 1, 2024

CVE Published

via IBM·12:00 AM

Jun 28, 2024

CVE Published

via MITRE·06:12 PM

Data Sourced

via MITRE·06:12 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·07:15 PM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

IBM-7159714

Frequently Asked Questions

What is the severity of CVE-2024-35156?

CVE-2024-35156 has moderate severity as it could allow a remote attacker to access sensitive information through detailed error messages.

How do I fix CVE-2024-35156?

To mitigate CVE-2024-35156, ensure that error messages do not reveal sensitive information by properly configuring the error handling in IBM MQ.

Which versions of IBM MQ are affected by CVE-2024-35156?