There are some customers requiring what are the security vulnerability impacting the MQ Monitoring agent, anyway it's not easy to find a comprehensive list.
Based on this need, I have put together a list of known vulnerabilities that can (or does not) affect MQ agent specifically. ITM has it's own list of vulnerabilities but it's not covered here.
As far as I can say, we are:
>> NOT AFFECTED by:
1) CVE-2014-3566 (aka POODLE)
2) CVE-2014-0160 (aka OpenSSL heartbleed)
3) CVE-2013-0169 (aka Lucky 13)
>> AFFECTED by some vulnerabilities when using IP.SPIPE communications.
1) This can be avoided using IP.PIPE and eventually disabling port 3661:
How do you disable https port 3661 to avoid security scan vulnerability?
By default, the http port 1920 and https port 3661 are opened during initialization of the ITM components. If you are not using the https port 3661 and it posses a security vulnerability, then you can disable the port
using the below configuration parameter KDC_FAMILIES=HTTP:1920 IP.PIPE PORT:1918 IP use:n SNA use:n IP.SPIPE use:n https:0
The above variable is found in the ITM components configuration file or windows registry.
Note : It is not recommended to disable the https port 3661 on TEMS server because the tacmd command and the SOAP queries will not work without the https port.
2) [medium] [3661/tcp/http_proxy] IETF X.509 Certificate Signature Collision Vulnerability
The resolution to the weak encryption of self-signed certificates is to get new certificates.
The resolution to weak ciphers is to take the measures outlines in the technote http://www-01.ibm.com/support/docview.wss?uid=swg21409164.
In summary, if the complaint is about the weak signatures and hash on the ITM self-signed certificates, then NEW certificates must be obtained.
There is no other way to remedy this complaint. Follow the procedure 'Setting up asymmetric encryption' from here:
Of course please install always latest versions of the products which resolve eventual vulnerabilities found up to that maintenance.
Messaging agents latest versions are V710 FP1 IF3 and V730.
Then for specific additional security vulnerabilities please report them in a specific PMR so that we can investigate.