CVE-2019-4656: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ and IBM MQ Appliance versions 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD were identified with a vulnerability (CVE-2019-4656) that could allow an authenticated user to perform a denial of service attack. The vulnerability was disclosed in March 2020 and affects multiple versions of the IBM MQ software suite (IBM Security Bulletin).

The vulnerability allows an authenticated user to craft a malicious message that causes a queue manager to incorrectly mark a queue as damaged, requiring a restart to continue processing against the queue. The vulnerability has been assigned a CVSS Base Score of 6.5 (Medium) with a vector string of CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and high impact on availability (IBM Security Bulletin).

When exploited, this vulnerability results in a denial of service condition where the affected queue becomes damaged and unusable until the queue manager is restarted. This can cause service disruption and require manual intervention to restore normal operations (IBM Security Bulletin).

IBM has released fixes for all affected versions: WebSphere MQ V7.1 and V7.5 require contacting IBM Support for APAR IT30649, MQ V8.0 requires FixPack 8.0.0.14, MQ V9.0 LTS requires FixPack 9.0.0.9, MQ V9.1 LTS requires FixPack 9.1.0.4, and MQ V9.1 CD users should upgrade to IBM MQ 9.1.5. No workarounds are available (IBM Security Bulletin).