Security Bulletin: IBM WebSphere MQ JMS client deserialization RCE vulnerability (CVE-2016-0360)

Summary

A potential vulnerability exists within the JMSObjectMessage class, which IBM WebSphere MQ provides as part of its Java Message Service implementation.

Vulnerability Details

JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload. Deserialization of untrusted data can lead to security flaws; a remote attacker could use this to execute arbitrary code with the permissions of the application that is using a JMS ObjectMessage. Applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Applications which call toString() on a javax.jms.Message which has an underlying type of ObjectMessage can also be vulnerable, as this method performs deserialization. The MQ classes for JMS trace will call toString() on a javax.jms.Message object, and so are also vulnerable if the underlying type is an ObjectMessage.

CVEID: CVE-2016-0360**
DESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM MQ 9.0

IBM MQ 9.0.0.0 only

IBM WebSphere MQ 8.0

IBM WebSphere MQ 8.0.0.0 through 8.0.0.5 maintenance levels

IBM WebSphere MQ 7.5

IBM WebSphere MQ 7.5.0.0 through 7.5.0.7 maintenance levels

IBM WebSphere MQ 7.1

IBM WebSphere MQ 7.1.0.0 through 7.1.0.8 maintenance levels

IBM WebSphere MQ 7.0.1

IBM WebSphere MQ 7.0.1.0 through 7.0.1.14 maintenance levels

Remediation/Fixes

IBM MQ 9.0 (Long Term Support)

Apply 9.0.0.1 maintenance level when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

IBM MQ 9.0 (Continuous Delivery)

Serialization allowlisting is available from IBM MQ 9.0.1. Upgrade to latest version of IBM MQ and follow instructions in the IBM Knowledge Center to apply ClassName allowlisting in JMS ObjectMessage.

IBM WebSphere MQ 8.0

Apply 8.0.0.6 maintenance level and follow instructions in the IBM Knowledge Center to apply ClassName allowlisting in JMS ObjectMessage.

IBM WebSphere MQ 7.5

Apply Fixpack 7.5.0.8 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

** **IBM WebSphere MQ 7.1

Apply Fixpack 7.1.0.9 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

** **IBM WebSphere MQ 7.0.1

Apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

Workarounds and Mitigations

IBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognised senders, a security mechanism, such as MQ’s AMS (Advanced Message Security), can be used.