Security Bulletin
Summary
WebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability.
Vulnerability Details
CVEID: CVE-2016-0360
DESCRIPTION: IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Please consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for more details
.
Affected Products and Versions
IBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8
Remediation/Fixes
Product | VRMF | APAR | Remediation/Fix |
IBM Integration Bus | V10.0.0.0 to V10.0.0.9 | IT21160 | The APAR is available in fix pack 10.0.0.10 http://www-01.ibm.com/support/docview.wss?uid=swg24043943 |
IBM Integration Bus | V9.0.0.0 to V9.0.0.8 | IT21160 | The APAR is available in fix pack 9.0.0.9 http://www-01.ibm.com/support/docview.wss?uid=swg24043947 |
Remediation for users of versions V9.0.0.7, V10.0.0.8 and above:
If MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required
1. Apply the fix for IBM Integration Bus APAR IT21160
2. Specify the whiltelist classes as below
mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v <full qualified class names in comma separated form>
eg : mqsichangeproperties <INode> -e <IServer> -o ComIbmJVMManager -n jvmSystemProperty -v \ "-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn\"
Remediation for users of versions prior to V10.0.0.8 and V9.0.0.7:
You will need to update MQ. Consult the security bulletin IBM WebSphere MQ JMS client deserialization RCE vulnerability for details.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
The vulnerability was reported to IBM by Matthias Kaiser of Code White (www.code-white.com)
Change History
29 September 2017: Original version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Product Synonym
IIB
Was this topic helpful?
Document Information
Modified date:
23 March 2020
UID
swg22008829