IBM Support

Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client

Security Bulletin


Summary

WebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability.

Vulnerability Details


CVEID: CVE-2016-0360
DESCRIPTION: IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Please consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for more details
.

Affected Products and Versions

IBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8

Remediation/Fixes

Product

VRMFAPARRemediation/Fix
IBM Integration BusV10.0.0.0 to V10.0.0.9IT21160 The APAR is available in fix pack 10.0.0.10
http://www-01.ibm.com/support/docview.wss?uid=swg24043943
IBM Integration BusV9.0.0.0 to V9.0.0.8IT21160 The APAR is available in fix pack 9.0.0.9
http://www-01.ibm.com/support/docview.wss?uid=swg24043947

Remediation for users of versions V9.0.0.7, V10.0.0.8 and above:
If MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required
1. Apply  the fix for IBM Integration Bus APAR IT21160
2. Specify the whiltelist classes as below

mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v <full qualified class names in comma separated form>
 
eg : mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v \ "-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn\"

Remediation for users of versions prior to V10.0.0.8 and V9.0.0.7:
You will need to update MQ. Consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for details.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

The vulnerability was reported to IBM by Matthias Kaiser of Code White (www.code-white.com)

Change History

29 September 2017: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSNQK6","label":"IBM Integration Bus"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"10.0;9.0","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

IIB

Document Information

Modified date:
23 March 2020

UID

swg22008829

Page Feedback