The version of IBM MQ Server running on the remote host is affected by multiple vulnerabilities as referenced in the 7157976 advisory.

  - IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through     24.0.0.4 are vulnerable to a denial of service, caused by sending a specially crafted request. A remote     attacker could exploit this vulnerability to cause the server to consume memory resources. IBM X-Force ID:
    281516. (CVE-2024-25026)

  - IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through     24.0.0.5 are vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A     remote attacker could exploit this vulnerability to expose sensitive information, consume memory     resources, or to conduct a server-side request forgery attack. IBM X-Force ID: 280401. (CVE-2024-22354)

  - IBM WebSphere Application Server Liberty 18.0.0.2 through 24.0.0.4 is vulnerable to a denial of service,     caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause     the server to consume memory resources. IBM X-Force ID: 284574. (CVE-2024-27268)

  - IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is vulnerable to a denial of service,     caused by sending a specially crafted request. A remote attacker could exploit this vulnerability to cause     the server to consume memory resources. IBM X-Force ID: 280400. (CVE-2024-22353)

  - The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption)     via a large p2c (aka PBES2 Count) value. (CVE-2023-51775)

  - IBM WebSphere Application Server 8.5, 9.0 and IBM WebSphere Application Server Liberty 17.0.0.3 through     24.0.0.3 are vulnerable to server-side request forgery (SSRF). By sending a specially crafted request, an     attacker could exploit this vulnerability to conduct the SSRF attack. X-Force ID: 279951. (CVE-2024-22329)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

IBM MQ 9.1 <= 9.1.0.22 / 9.2 <= 9.2.0.26 / 9.3 < 9.3.0.20 LTS / 9.3 < 9.4 CD (7157976)

high Nessus Plugin ID 201055

Version 1.3