CVE-2019-4719: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ and IBM MQ Appliance versions 7.1, 7.5, 8.0, 9.0 LTS, 9.1 LTS, and 9.1 CD were found to contain a vulnerability that could allow a local attacker to obtain sensitive information through the inclusion of sensitive data within runmqras data. This vulnerability was assigned CVE-2019-4719 and was disclosed in March 2020 (NVD, IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (Medium) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. IBM's assessment rated it slightly lower at 5.1 (Medium) with the vector CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability specifically relates to the exposure of sensitive information through the runmqras data collection functionality (NVD).

If exploited, this vulnerability could allow a local attacker to obtain sensitive information from the affected IBM MQ systems. The impact is limited to confidentiality (C:H), with no effect on integrity or availability of the system (IBM Advisory).

IBM has released fixes for all affected versions: FixPack 8.0.0.14 for V8, FixPack 9.0.0.9 for V9 LTS, FixPack 9.1.0.4 for V9.1 LTS, and FixPack 9.1.4 for V9.1 CD. For earlier versions (V7.1 and V7.5), users should contact IBM Support requesting a fix for APAR IT30928. As a workaround, users should avoid using the -ftppassword parameter with runmqras (IBM Advisory).