Puzzled by WMQ vulnerability advisory

Well, I knew this one was out there but never looked at the CVE for it – there is a memory corruption vulnerability in the WebSphere MQ ( CVE-2007-6044) that is network exploitable.  What I can’t figure out is why the Impact and Exploitability scores are both 10.  The CVE entry says:

NOTE: as of 20071116, the only disclosure is a vague pre-advisory with no actionable information. However, since it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes.

In other words, “we don’t know what this does but it scares the bejeesus out of us”?  And then there’s this:

Access Complexity: Low
**NOTE: Access Complexity scored Low due to insufficient information

“Access complexity” is a score of how difficult it is to exploit.  If the difficulty is unknown, the assumption is that it’s easy.  OK, I can see taking the conservtive approach and assuming it’s a high threat until you have more information.  But ten months after this was first assigned a CVE, we still don’t have any details and there have been no exploits reported in the wild.  Shouldn’t the severity slowly decline to, say, medium if the vulnerability is never revealed in any detail or exploited?  I’ll even concede giving some leeway to “a well known researcher” but how long should the CVE sit like this before it is ramped down or rejected?

Clicking throug the external links, I see that SecurityReason credits the disclosure to IRM Research.  But IRM Research does not list the vulnerability among its advisories.  Security Focus has an advisory for this CVE but links to IBM’s Flash about the client channel vulnerability – a completely different issue that has its own CVE.

You might not expect it after reading my rant but I’m actually a fan of the CVE system.  But this entry just makes me scratch my head and wonder.  In any case, update to 6.0.2.2 or better to get the fix.

This entry was posted in General, WMQ, WMQ Security and tagged , , , , , , . Bookmark the permalink.

Leave a Reply