Security Bulletin: MQSISTOP/STARTMSGFLOW commands with unauthorized user succeed affects IBM WebSphere Message Broker and IBM Integration Bus (CVE-2015-5011)

Summary

MQSISTOP/STARTMSGFLOW commands with unauthorized user succeed affecting IBM WebSphere Message Broker and IBM Integration Bus

Vulnerability Details

CVEID: CVE-2015-5011**
DESCRIPTION:** IBM Integration Bus could allow a local user to start and stop a service that they should not have access to.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Integration Bus V9

WebSphere Message Broker V8

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V9| PI28139 | The APAR is available in fix pack 9.0.0.4
https://www-304.ibm.com/support/docview.wss?rs=849&uid=swg24040542
WebSphere Message Broker
| V8| PI28139 | The APAR is available in fix pack 8.0.0.6
http://www-01.ibm.com/support/docview.wss?rs=849&uid=swg24040259

Workarounds and Mitigations

None