CVE-2019-4619: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ and IBM MQ Appliance versions 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD were found to contain a security vulnerability that could allow local attackers to obtain sensitive information through trace data inclusion. This vulnerability was assigned CVE-2019-4619 and IBM X-Force ID 168862. The issue was publicly disclosed in March 2020 (NVD, IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.5 (Medium) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. IBM's assessment rated it slightly lower at 5.1 (Medium) with the vector CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified under CWE-209 (Generation of Error Message Containing Sensitive Information), indicating that the issue relates to the exposure of sensitive data through trace functionality (NVD).

The vulnerability could allow a local attacker to obtain sensitive information that is included within trace data. The impact is limited to confidentiality breaches, with no direct effect on system integrity or availability (IBM Advisory).

IBM has released fixes for all affected versions: For WebSphere MQ V7.1 and V7.5, users should contact IBM Support requesting a fix for APAR IT30830. For MQ V8.0, apply FixPack 8.0.0.14, for MQ V9.0 LTS apply FixPack 9.0.0.9, for MQ V9.1 LTS apply FixPack 9.1.0.4, and for MQ V9.1 CD apply FixPack 9.1.4. As a workaround, IBM recommends avoiding the use of the -ftppassword parameter to runmqras (IBM Advisory).