CVE-2024-51470
📋 TL;DR
This vulnerability in IBM MQ allows authenticated users to cause denial-of-service by sending messages with improperly set values. It affects multiple IBM MQ versions across different platforms including LTS, CD, Appliance, and HPE NonStop editions. The issue stems from improper handling of message values that can crash or degrade service.
💻 Affected Systems
- IBM MQ
- IBM MQ Appliance
- IBM MQ for HPE NonStop
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption of IBM MQ, affecting message queuing for dependent applications and potentially causing business process failures.
Likely Case
Service degradation or temporary unavailability of IBM MQ instances, requiring restart to restore functionality.
If Mitigated
Minimal impact with proper authentication controls and monitoring in place to detect and block malicious message patterns.
🎯 Exploit Status
Exploitation requires authenticated access to IBM MQ. The vulnerability is in message handling logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fixes as specified in IBM advisories: APAR IJ50341 for IBM MQ 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.3 CD, 9.4 LTS, 9.4 CD; APAR IJ50342 for IBM MQ Appliance 9.3 LTS, 9.3 CD, 9.4 LTS; APAR IJ50343 for IBM MQ for HPE NonStop 8.1.0 through 8.1.0.25
Vendor Advisory: https://www.ibm.com/support/pages/node/7177593
Restart Required: Yes
Instructions:
1. Review IBM advisories for specific fix versions. 2. Apply appropriate fix packs or interim fixes. 3. Restart IBM MQ services. 4. Verify the fix is applied correctly.
🔧 Temporary Workarounds
Restrict Message Access
allImplement access controls to limit which authenticated users can send messages to queues.
Use IBM MQ authority records to restrict PUT authority on queues
Message Validation
allImplement message validation at application level to reject messages with improper values.
Implement message validation in client applications before sending to MQ
🧯 If You Can't Patch
- Implement strict authentication and authorization controls to limit who can send messages
- Monitor for unusual message patterns and implement rate limiting on message submission
🔍 How to Verify
Check if Vulnerable:
Check IBM MQ version against affected versions list. Review system logs for message handling errors or service crashes.Check Version:
dspmqver (on Unix/Linux) or runmqsc DISPLAY QMGR (check version)Verify Fix Applied:
Verify applied fix version matches IBM advisory requirements. Test message handling with various values to ensure stability.📡 Detection & Monitoring
Log Indicators:
- Unexpected service termination
- Message handling errors in AMQERR01.LOG
- Queue manager crash logs
Network Indicators:
- Unusual message volume from authenticated users
- Connection drops to IBM MQ services
SIEM Query:
source="IBM_MQ" AND (event_type="service_crash" OR error_message="message handling")