9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
A potential vulnerability exists within the JMSObjectMessage class, which IBM WebSphere MQ provides as part of its Java Message Service implementation.
JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload. Deserialization of untrusted data can lead to security flaws; a remote attacker could use this to execute arbitrary code with the permissions of the application that is using a JMS ObjectMessage. Applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Applications which call toString() on a javax.jms.Message which has an underlying type of ObjectMessage can also be vulnerable, as this method performs deserialization. The MQ classes for JMS trace will call toString() on a javax.jms.Message object, and so are also vulnerable if the underlying type is an ObjectMessage.
CVEID: CVE-2016-0360**
DESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
IBM MQ 9.0
IBM MQ 9.0.0.0 only
IBM WebSphere MQ 8.0
IBM WebSphere MQ 8.0.0.0 through 8.0.0.5 maintenance levels
IBM WebSphere MQ 7.5
IBM WebSphere MQ 7.5.0.0 through 7.5.0.7 maintenance levels
IBM WebSphere MQ 7.1
IBM WebSphere MQ 7.1.0.0 through 7.1.0.8 maintenance levels
IBM WebSphere MQ 7.0.1
IBM WebSphere MQ 7.0.1.0 through 7.0.1.14 maintenance levels
IBM MQ 9.0 (Long Term Support)
Apply 9.0.0.1 maintenance level when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.
IBM MQ 9.0 (Continuous Delivery)
Serialization allowlisting is available from IBM MQ 9.0.1. Upgrade to latest version of IBM MQ and follow instructions in the IBM Knowledge Center to apply ClassName allowlisting in JMS ObjectMessage.
IBM WebSphere MQ 8.0
Apply 8.0.0.6 maintenance level and follow instructions in the IBM Knowledge Center to apply ClassName allowlisting in JMS ObjectMessage.
IBM WebSphere MQ 7.5
Apply Fixpack 7.5.0.8 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.
** **IBM WebSphere MQ 7.1
Apply Fixpack 7.1.0.9 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.
** **IBM WebSphere MQ 7.0.1
Apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.
IBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognised senders, a security mechanism, such as MQ’s AMS (Advanced Message Security), can be used.
CPE | Name | Operator | Version |
---|---|---|---|
websphere mq | eq | 9.0 | |
websphere mq | eq | 8.0 | |
websphere mq | eq | 7.5 | |
websphere mq | eq | 7.1 | |
websphere mq | eq | 7.0.1 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P