Security Bulletin: IBM MQ and IBM WebSphere MQ are affected by Side channel attacks on modular exponentiation (CVE-2016-0702)

Summary

IBM MQ and WebSphere MQ have addressed CVE-2016-0702

The GSKit cryptographic libraries supplied with MQ are impacted by the same issue described in the OpenSSL disclosure.

Vulnerability Details

CVEID: CVE-2016-0702**
DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a side-channel attack against a system based on the Intel Sandy-Bridge microarchitecture. An attacker could exploit this vulnerability to recover RSA keys.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111144 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

WebSphere MQ v7.0.1

• Maintenance levels 7.0.1.0 - 7.0.1.14

WebSphere MQ v7.1

• Maintenance levels 7.1.0.0 - 7.1.0.9

WebSphere MQ v7.5

• Maintenance levels 7.5.0.0 - 7.5.0.8

IBM MQ v8

• Maintenance levels 8.0.0.0 - 8.0.0.8

IBM MQ v9 LTS

• Maintenance levels 9.0.0.0 - 9.0.0.2

IBM MQ v9 CD

• Maintenance levels 9.0.0 - 9.0.4

Remediation/Fixes

WebSphere MQ v7.0.1

• Raise a support ticket with WebSphere MQ support requesting a fix for APAR IT25200

WebSphere MQ v7.1

• Raise a support ticket with WebSphere MQ support requesting a fix for APAR IT25200

WebSphere MQ v7.5

• Apply iFix IT25200

IBM MQ v8

• Apply Fixpack 8.0.0.9

IBM MQ v9 LTS

• Apply Fixpack 9.0.0.3

IBM MQ v9 CD

• Upgrade to 9.0.5