CVE-2024-31912 – IBM MQ 9.3 LTS and 9.3 CD contain a privilege e... (How to Fix)

Q: What is the severity of CVE-2024-31912?

CVE-2024-31912 has a CVSS score of 7.5 (HIGH). IBM MQ 9.3 LTS and 9.3 CD contain a privilege escalation vulnerability where authenticated users can gain elevated privileges under certain configurations due to incorrect privilege assignment. This affects organizations running vulnerable versions of IBM MQ with specific privilege configurations. The vulnerability requires authenticated access but can lead to unauthorized administrative control.

📋 TL;DR

IBM MQ 9.3 LTS and 9.3 CD contain a privilege escalation vulnerability where authenticated users can gain elevated privileges under certain configurations due to incorrect privilege assignment. This affects organizations running vulnerable versions of IBM MQ with specific privilege configurations. The vulnerability requires authenticated access but can lead to unauthorized administrative control.

💻 Affected Systems

Products:

IBM MQ

Versions: 9.3 LTS and 9.3 CD

Operating Systems: All supported platforms

Default Config Vulnerable: ✅ No

Notes: Only vulnerable under certain privilege configurations. Requires authenticated user access with specific privilege assignments.

📦 What is this software?

Mq by Ibm

View all CVEs affecting Mq →

Mq by Ibm

View all CVEs affecting Mq →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An authenticated attacker gains full administrative control over IBM MQ, allowing them to read, modify, or delete all messages, reconfigure queues, and potentially compromise connected systems.

🟠

Likely Case

Malicious insiders or compromised accounts escalate privileges to perform unauthorized operations within IBM MQ, potentially disrupting message flow or exfiltrating sensitive data.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to attempted privilege escalation that can be detected and blocked before successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access and specific privilege configurations. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix packs as specified in IBM advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/7158072

Restart Required: Yes

Instructions:

1. Review IBM advisory at provided URL. 2. Download and apply appropriate fix pack for your version. 3. Restart IBM MQ services. 4. Verify patch application.

🔧 Temporary Workarounds

Review and Restrict Privilege Assignments

all

Audit and restrict privilege assignments to ensure users only have necessary permissions

Review MQ authority records and user privileges using MQSC commands or IBM MQ Explorer

Implement Least Privilege Access

all

Ensure users have minimum required privileges and separate administrative accounts from regular user accounts

Use setmqaut command to restrict privileges: setmqaut -m <queue_manager> -t <object_type> -n <object_name> -p <principal> +<privileges>

🧯 If You Can't Patch

Implement strict access controls and monitor for privilege escalation attempts
Segment IBM MQ instances and restrict network access to authorized systems only

🔍 How to Verify

Check if Vulnerable:

Check IBM MQ version using 'dspmqver' command and compare against affected versions (9.3 LTS and 9.3 CD)

Check Version:

dspmqver

Verify Fix Applied:

Verify applied fix pack version matches IBM's patched versions and test privilege escalation attempts

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts in MQ error logs
Unexpected administrative operations from non-admin accounts
Failed authorization attempts followed by successful privileged operations

Network Indicators:

Unusual MQ administrative traffic from non-admin systems
Suspicious MQ command channel activity

SIEM Query:

source="mq_error.log" AND ("authorization failure" OR "privilege escalation" OR "unauthorized access")

📊 Metadata

CVE ID: CVE-2024-31912

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-266

Published: June 28, 2024

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/289894 VDB Entry
https://www.ibm.com/support/pages/node/7158072 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/289894 VDB Entry
https://www.ibm.com/support/pages/node/7158072 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-31912, you might also want to check these: