CVE-2022-22321: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ Appliance 9.2 CD and 9.2 LTS were affected by a vulnerability where local messaging users' passwords were stored with insufficient protection hash (CVE-2022-22321). The vulnerability was discovered and reported to IBM in January 2022, with public disclosure on March 1, 2022 (NVD, IBM Advisory).

The vulnerability has a CVSS v3.1 Base Score of 5.5 MEDIUM (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) according to NVD, while IBM rates it at 5.1 MEDIUM (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N). The issue specifically affects internally stored messaging users on the IBM MQ Appliance. The vulnerability is classified under CWE-326 (Inadequate Encryption Strength) (NVD).

The vulnerability could allow an attacker with local access to potentially compromise the confidentiality of password hashes for local messaging users. This affects only internally stored messaging users, not appliance users who can administer the appliance and IBM MQ resources (IBM Advisory).

IBM has addressed this vulnerability under APAR IT39829. For IBM MQ Appliance version 9.2 LTS, users should apply fixpack 9.2.0.5 or later firmware. For version 9.2 CD, users should upgrade to 9.2.5 CD or later firmware. Additionally, passwords for local messaging users set prior to installation of the indicated firmware versions should be updated (IBM Advisory).