CVE-2021-38986: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ Appliance versions 9.2 CD and 9.2 LTS contain a session invalidation vulnerability identified as CVE-2021-38986. The vulnerability was discovered when it was found that the system does not properly invalidate sessions after logout, potentially allowing authenticated users to impersonate other users on the system (IBM Support, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NVD with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. IBM Corporation assigned a slightly higher CVSS v3.0 score of 5.6 (Medium) with vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified as CWE-613: Insufficient Session Expiration (NVD).

The vulnerability could allow an authenticated user to impersonate another user on the system, potentially leading to unauthorized access to system resources and data (IBM Support).

IBM has addressed this vulnerability under APAR IT38930. For IBM MQ Appliance version 9.2 LTS, users should apply fixpack 9.2.0.4 or later firmware. For version 9.2 CD, users should upgrade to 9.2.5 CD or later firmware. No workarounds are available (IBM Support).