CVE-2024-39742: IBM MQ Container authentication bypass

Q: What is the severity of CVE-2024-39742?

The severity rating for CVE-2024-39742 is currently not publicly disclosed, but it introduces the risk of authentication bypass.

Q: How do I fix CVE-2024-39742?

To mitigate CVE-2024-39742, update IBM MQ Operator to version 3.2.2 or later and correct any partially insecure configurations.

Q: Which IBM products are affected by CVE-2024-39742?

CVE-2024-39742 affects IBM MQ Operator versions up to 3.2.1 and specific IBM Advanced container images.

Q: Can CVE-2024-39742 lead to unauthorized access?

Yes, CVE-2024-39742 could allow an attacker to bypass authentication and potentially gain unauthorized access to the system.

Q: Are there any workaround solutions for CVE-2024-39742?

As of now, applying the recommended updates is the primary solution, with no official workarounds provided for CVE-2024-39742.

Published Jul 5, 2024

Updated

IBM MQ Container Developer Edition 3.2.0 and IBM MQ Container Developer Edition 3.2.1 could allow a user to bypass authentication under certain configurations due to a partial string comparison vulnerability. IBM X-Force ID: 297169.

Other sources

IBM MQ Operator 3.2.2 and IBM MQ Operator 2.0.24 could allow a user to bypass authentication under certain configurations due to a partial string comparison vulnerability. IBM X-Force ID: 297169.

— NVD

Affected Software

10 affected components

IBM MQ Operator<=SC2 (formerly LTS): v3.2.0, v3.2.1CD: v3.0.0, v3.0.1, v3.1.0 - 3.1.3 LTS: v2.0.0 - 2.0.23 Other Release: v2.4.0 - v2.4.8, v2.3.0 - 2.3.3, v2.2.0 - v2.2.2

IBM supplied MQ Advanced container images<=CD: 9.4.0.0-r1, 9.3.4.0-r1, 9.3.4.1-r1,9.3.5.0-r1,9.3.5.0-r2,9.3.5.1-r1, 9.3.5.1-r2LTS: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.0.10-r1, 9.3.0.10-r2, 9.3.0.11-r1,9.3.0.11-r2, 9.3.0.15-r1, 9.3.0.16-r1, 9.3.0.16-r2, 9.3.0.17-r1, 9.3.0.17-r2, 9.3.0.17-r3 Other Release: 9.2.0.1-r1-eus, 9.2.0.2-r1-eus, 9.2.0.2-r2-eus, 9.2.0.4-r1-eus, 9.2.0.5-r1-eus, 9.2.0.5-r2-eus, 9.2.0.5-r3-eus, 9.2.0.6-r1-eus, 9.2.0.6-r2-eus, 9.2.0.6-r3-eus, 9.2.3.0-r1, 9.2.4.0-r1, 9.2.5.0-r1, 9.2.5.0-r2, 9.2.5.0-r3, 9.3.0.0-r1, 9.3.0.0-r2, 9.3.0.0-r3, 9.3.0.1-r1, 9.3.0.1-r2, 9.3.0.1-r3, 9.3.0.1-r4, 9.3.0.3-r1, 9.3.0.4-r1, 9.3.0.4-r2, 9.3.0.5-r1, 9.3.0.5-r2, 9.3.0.5-r3, 9.3.0.6-r1, 9.3.1.0-r1, 9.3.1.0-r2, 9.3.1.0-r3, 9.3.1.1-r1, 9.3.2.0-r1, 9.3.2.0-r2, 9.3.2.1-r1, 9.3.2.1-r2, 9.3.3.0-r1, 9.3.3.0-r2, 9.3.3.1-r1, 9.3.3.1-r2, 9.3.3.2-r1, 9.3.3.2-r2, 9.3.3.2-r3, ,9.3.3.3-r1, 9.3.3.3-r2

IBM MQ Operator>=2.0.0<2.0.24

IBM MQ Operator>=2.2.0<=2.2.2

IBM MQ Operator>=2.3.0<=2.3.3

IBM MQ Operator>=2.4.0<=2.4.8

IBM MQ Operator>=3.1.0<=3.1.3

IBM MQ Operator>=3.2.0<3.2.2

IBM MQ Operator=3.0.0

IBM MQ Operator=3.0.1

Event History

Jul 5, 2024

CVE Published

via IBM·12:00 AM

Jul 8, 2024

CVE Published

via MITRE·01:16 PM

Data Sourced

via MITRE·01:16 PM

DescriptionSeverityWeakness

Data Sourced

via NVD·02:15 PM

DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

IBM-7159714

Frequently Asked Questions

What is the severity of CVE-2024-39742?

The severity rating for CVE-2024-39742 is currently not publicly disclosed, but it introduces the risk of authentication bypass.

How do I fix CVE-2024-39742?

To mitigate CVE-2024-39742, update IBM MQ Operator to version 3.2.2 or later and correct any partially insecure configurations.

Which IBM products are affected by CVE-2024-39742?