logo
DATABASE RESOURCES PRICING ABOUT US

IBM WebSphere MQ 7.0.1.x / 7.1.0.x < 7.1.0.9 / 7.5.0.x < 7.5.0.8 / 8.0.0.x < 8.0.0.6 / 9.0.0.x < 9.0.0.1 Multiple Vulnerabilities

Description

According to its self-reported version, the IBM WebSphere MQ server installed on the remote Windows host is version 7.0.1.x without patch APAR IT14385, 7.1.0.x prior to 7.1.0.9, 7.5.0.x prior to 7.5.0.8, 8.0.0.x prior to 8.0.0.6, or 9.0.0.x prior to 9.0.0.1. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Java Message Service (JMS) in the JMSObjectMessage class due to improper sanitization of input when deserializing Java objects. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-0360) - A flaw exists due to improper data conversion handling that allows an authenticated, remote attacker to crash the MQ channel. (CVE-2016-3013) - A flaw exists that under nonstandard configurations causes password data to be sent in cleartext over the network. A man-in-the-middle attacker can exploit this to disclose passwords. (CVE-2016-3052) - An unspecified flaw exists that allows an authenticated, remote attacker, who has access to the queue manager and queue, to cause a denial of service to other channels running under the same process. (CVE-2016-8915) - A flaw exists that allows an unauthenticated, remote attacker to have an unspecified impact. No other details are available. (CVE-2016-8971) - An unspecified flaw exists that allows an authenticated, remote attacker, who has access to the queue manager, to disrupt MQ channels using specially crafted HTTP requests, resulting in a denial of service condition. (CVE-2016-8986) - An unspecified flaw exists that allows an authenticated, remote attacker, who has authority to create cluster objects, to cause a denial of service condition in MQ clustering. (CVE-2016-9009)


Related