WebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability.
CVEID: CVE-2016-0360**
DESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Please consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for more details
.
IBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10.0.0.0 to V10.0.0.9| IT21160 | The APAR is available in fix pack 10.0.0.10
<http://www-01.ibm.com/support/docview.wss?uid=swg24043943>
IBM Integration Bus| V9.0.0.0 to V9.0.0.8| IT21160 | The APAR is available in fix pack 9.0.0.9
<http://www-01.ibm.com/support/docview.wss?uid=swg24043947>
Remediation for users of __ versions V9.0.0.7, V10.0.0.8_ and above:_
If MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required
1. Apply the fix for IBM Integration Bus APAR IT21160
2. Specify the whiltelist classes as below
mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v <full qualified class names in comma separated form>
eg : mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v \ "-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn"
Remediation for users of versions prior to V10.0.0.8_ _and V9.0.0.7:
You will need to update MQ. Consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for details.
None