CVE-2022-31772: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ versions 8.0, 9.0 LTS, 9.1 CD, 9.1 LTS, 9.2 CD, and 9.2 LTS were found to contain a vulnerability that could allow an authenticated and authorized user to cause a denial of service to the MQTT channels. The vulnerability was assigned CVE-2022-31772 and was initially recorded on May 27, 2022. The affected component specifically includes the Telemetry Service within IBM MQ (IBM Security Bulletin).

The vulnerability has been assigned a CVSS Base score of 5.3 with a vector of CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. This scoring indicates that the vulnerability requires network access, has high attack complexity, needs low privileges, requires no user interaction, has no impact on confidentiality or integrity, but can have a high impact on availability. The vulnerability is classified under CWE-20 (Improper Input Validation) (IBM Security Bulletin).

The primary impact of this vulnerability is the potential for denial of service affecting the MQTT channels in IBM MQ. The attack requires an authenticated and authorized user, limiting the scope of potential attackers, but could result in service disruption for affected systems (IBM Security Bulletin).

IBM has released fixes for all affected versions: For IBM MQ 8.0 and 9.0 LTS, users should apply iFix for APAR IT33206; For version 9.1 LTS, apply FixPack 9.1.0.12; For version 9.2 LTS, apply Fixpack 9.2.0.6; For version 9.3 LTS, apply Fixpack 9.3.0.1; For IBM MQ versions 9.1, 9.2 & 9.3 CD, users should upgrade to IBM MQ 9.3.0 and apply FixPack 9.3.0.1. No workarounds are available for this vulnerability (IBM Security Bulletin).