CVE-2024-31912 Overview
CVE-2024-31912 is a privilege escalation vulnerability affecting IBM MQ 9.3 LTS and 9.3 CD message-oriented middleware. The flaw stems from incorrect privilege assignment [CWE-266] under certain configurations. An authenticated user can leverage this weakness to elevate their privileges on the affected queue manager. IBM tracks this issue as X-Force ID 289894.
The vulnerability requires low privilege authentication and no user interaction. Successful exploitation impacts confidentiality, integrity, and availability of the MQ environment.
Critical Impact
An authenticated attacker with low privileges can escalate to higher privileges on IBM MQ queue managers, gaining unauthorized access to messages, configurations, and administrative functions.
Affected Products
- IBM MQ 9.3 LTS (Long Term Support)
- IBM MQ 9.3 CD (Continuous Delivery)
- IBM MQ deployments using vulnerable configurations on cpe:2.3:a:ibm:mq:9.3.0
Discovery Timeline
- 2024-06-28 - CVE-2024-31912 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-31912
Vulnerability Analysis
IBM MQ provides message queuing services that brokers transactions and data between enterprise applications. The product enforces authorization through object authority manager (OAM) records that bind user identities to permissions on queues, topics, and channels. CVE-2024-31912 breaks this model through an incorrect privilege assignment in specific configurations.
An authenticated user who already holds limited access on the queue manager can perform actions that elevate their effective privileges. The result extends what the user can read, write, or administer beyond the boundary the access control model was intended to enforce.
The attack vector is network-based, with low complexity and low privileges required. No user interaction is needed. Scope remains unchanged, but confidentiality, integrity, and availability impacts are all high. The EPSS probability is 0.235% with a percentile of 46.47.
Root Cause
The root cause is classified under [CWE-266] Incorrect Privilege Assignment. Under certain configurations, IBM MQ grants a privilege to an actor that the actor should not receive based on the intended authorization model. The flaw resides in how MQ resolves and assigns identity-bound privileges in the affected 9.3 release stream.
Attack Vector
The attacker must first authenticate to the queue manager with valid low-privilege credentials. Once authenticated, the attacker interacts with MQ over the network through standard administrative or messaging interfaces. The misassigned privilege then becomes available, allowing the attacker to operate as a higher-privileged identity within the MQ environment.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the IBM X-Force Vulnerability #289894 entry for additional technical detail.
Detection Methods for CVE-2024-31912
Indicators of Compromise
- Authorization events in MQ error logs (AMQERR01.LOG) showing unexpected successful operations by low-privileged user IDs.
- New or modified OAM authority records granting elevated permissions on queues, topics, channels, or the queue manager itself.
- Unusual administrative MQSC commands executed by user accounts that should not possess +chg, +ctrl, or +ctrlx authorities.
Detection Strategies
- Audit IBM MQ authority events and configuration events by enabling MQSC ALTER QMGR AUTHOREV(ENABLED) CONFIGEV(ENABLED) and forwarding the events to a SIEM.
- Baseline normal MQ administrative activity per user ID and alert on deviations, especially privilege grants and channel modifications.
- Correlate MQ authentication events with downstream administrative API calls to detect post-authentication privilege abuse.
Monitoring Recommendations
- Forward MQ event queues (SYSTEM.ADMIN.QMGR.EVENT, SYSTEM.ADMIN.CONFIG.EVENT) to a centralized log platform.
- Monitor changes to mqs.ini and qm.ini configuration files for unauthorized modifications to authorization service stanzas.
- Track usage of setmqaut and equivalent administrative tooling on MQ servers.
How to Mitigate CVE-2024-31912
Immediate Actions Required
- Inventory all IBM MQ 9.3 LTS and 9.3 CD deployments and identify queue managers running affected fix pack levels.
- Apply the IBM security update referenced in the IBM Support Advisory #7158072 as soon as it is validated in a test environment.
- Review and tighten OAM authority records, removing any unnecessary grants to low-privilege user IDs.
- Rotate credentials for MQ administrative and service accounts after patching.
Patch Information
IBM has issued a security bulletin and remediation guidance for affected versions. Customers should consult the IBM Support Advisory #7158072 for the fix pack or interim fix corresponding to their installed version of IBM MQ 9.3 LTS or 9.3 CD. Apply the fix during a scheduled maintenance window and validate queue manager startup and authorization behavior afterward.
Workarounds
- Restrict access to MQ listener ports using network segmentation and firewall rules so only trusted hosts can authenticate to queue managers.
- Enforce least privilege on all MQ user IDs by removing standing administrative authorities and requiring just-in-time elevation.
- Disable or restrict the configurations identified by IBM as required preconditions for the privilege escalation until the patch is applied.
# Example: review authority records for a queue manager
dspmqaut -m QM1 -t qmgr -p appuser
# Remove unneeded administrative authorities from a low-privilege user
setmqaut -m QM1 -t qmgr -p appuser -remove +chg +ctrl +ctrlx +dsp
# Enable authorization and configuration event monitoring
echo "ALTER QMGR AUTHOREV(ENABLED) CONFIGEV(ENABLED)" | runmqsc QM1
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
