Lucene search

K
ibmIBM0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874F
HistoryMar 23, 2020 - 8:41 p.m.

Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client

2020-03-2320:41:52
www.ibm.com
16

EPSS

0.004

Percentile

75.1%

Summary

WebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability.

Vulnerability Details

CVEID: CVE-2016-0360**
DESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Please consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for more details
.

Affected Products and Versions

IBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10.0.0.0 to V10.0.0.9| IT21160 | The APAR is available in fix pack 10.0.0.10
<http://www-01.ibm.com/support/docview.wss?uid=swg24043943&gt;
IBM Integration Bus| V9.0.0.0 to V9.0.0.8| IT21160 | The APAR is available in fix pack 9.0.0.9
<http://www-01.ibm.com/support/docview.wss?uid=swg24043947&gt;

Remediation for users of __ versions V9.0.0.7, V10.0.0.8_ and above:_
If MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required
1. Apply the fix for IBM Integration Bus APAR IT21160
2. Specify the whiltelist classes as below

mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v <full qualified class names in comma separated form>

eg : mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v \ "-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn"

Remediation for users of versions prior to V10.0.0.8_ _and V9.0.0.7:
You will need to update MQ. Consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for details.

Workarounds and Mitigations

None

EPSS

0.004

Percentile

75.1%

Related for 0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874F