IBM0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874FSecurity Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Summary
WebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability.
Vulnerability Details
CVEID: CVE-2016-0360**
DESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Please consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for more details
.
Affected Products and Versions
IBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8
Remediation/Fixes
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V10.0.0.0 to V10.0.0.9| IT21160 | The APAR is available in fix pack 10.0.0.10
<http://www-01.ibm.com/support/docview.wss?uid=swg24043943>
IBM Integration Bus| V9.0.0.0 to V9.0.0.8| IT21160 | The APAR is available in fix pack 9.0.0.9
<http://www-01.ibm.com/support/docview.wss?uid=swg24043947>
Remediation for users of __ versions V9.0.0.7, V10.0.0.8_ and above:_
If MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required
1. Apply the fix for IBM Integration Bus APAR IT21160
2. Specify the whiltelist classes as below
mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v <full qualified class names in comma separated form>
eg : mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v \ "-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn"
Remediation for users of versions prior to V10.0.0.8_ _and V9.0.0.7:
You will need to update MQ. Consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for details.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm integration bus | eq | 10.0 | |
| ibm integration bus | eq | 9.0 |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P