Question & Answer
Question
After upgrading your IBM MQ queue manager to Fix Pack MQ 9.1.0.16, 9.2.0.15 or 9.3.0.6, some of your MQ client applications that worked fine for many years, are now having connectivity issues (for example, rc 2009 MQRC_CONNECTION_BROKEN) and many FDCs are being generated by the queue manager the format:
| Probe Id :- RM031001
| Component :- rriAcceptSess
| Program Name :- amqrmppa
| Major Errorcode :- rrcE_PROTOCOL_ERROR
| Probe Type :- MSGAMQ9504
| Probe Description :- AMQ9504E: A protocol error was detected for channel
| ''.
| Arith1 :- 11 (0xb)
| Arith2 :- 268 (0x10c)
| Component :- rriAcceptSess
| Program Name :- amqrmppa
| Major Errorcode :- rrcE_PROTOCOL_ERROR
| Probe Type :- MSGAMQ9504
| Probe Description :- AMQ9504E: A protocol error was detected for channel
| ''.
| Arith1 :- 11 (0xb)
| Arith2 :- 268 (0x10c)
.
The following entry is found in the error log of the queue manager:
.
.
AMQ9504E: A protocol error was detected for channel ''.
EXPLANATION:
During communications with the remote queue manager, the channel program
detected a protocol error. The failure type was 11 with associated data of 268.
EXPLANATION:
During communications with the remote queue manager, the channel program
detected a protocol error. The failure type was 11 with associated data of 268.
Cause
The FDCs are a side-effect of having very old versions of MQ Java/JMS client applications (version 5.2 or 5.3), which they cannot connect now with the latest fix packs MQ 9.1.0.16, 9.2.0.15 or 9.3.0.6 for the queue manager, because these fix packs include the fix for security APAR IT42945 (CVE-2023-28513).
.
When the queue manager has the fix for APAR IT42945, there is an unintended side-effect that if the remote MQ client application is at a very old level of MQ, such as 5.2 or 5.3, there will be FDCs generated in the host of the queue manager, and the connection with the client will be disconnected (rc 2009 MQRC_CONNECTION_BROKEN)
.
Most likely you do not have installed anymore MQ 5.2 or 5.3, but instead, your development team has embedded the MQ 5.2 or 5.3 jar files inside a .war or .ear file and deployed the MQ client application on a Java EE application server.
.
When the queue manager has the fix for APAR IT42945, there is an unintended side-effect that if the remote MQ client application is at a very old level of MQ, such as 5.2 or 5.3, there will be FDCs generated in the host of the queue manager, and the connection with the client will be disconnected (rc 2009 MQRC_CONNECTION_BROKEN)
.
Most likely you do not have installed anymore MQ 5.2 or 5.3, but instead, your development team has embedded the MQ 5.2 or 5.3 jar files inside a .war or .ear file and deployed the MQ client application on a Java EE application server.
Please keep in mind that IBM MQ Support cannot discuss Security APARs and will only refer to the published information about the APAR that is provided in IBM Security Bulletins. Thus, please do not open a Support Ticket to ask for technical details on Security APARs.
++ For more details on the APAR and the Security Bulletin see:
https://www.ibm.com/support/pages/security-bulletin-ibm-mq-affected-denial-service-vulnerability-cve-2023-28513
Security Bulletin: IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513)
.
The following installable MQ components are affected by the vulnerability:
- Server
.
Security Bulletin: IBM MQ is affected by a denial of service vulnerability (CVE-2023-28513)
.
The following installable MQ components are affected by the vulnerability:
- Server
.
This Security Bulletin refers to APAR IT42945
Answer
+++ SOLUTIONS:
.
- As temporary workaround, you can uninstall the fix pack at the host of the queue manager (but the problem will reappear when applying a fix pack!)
.
- For a permanent solution, the old MQ Client application at 5.2 or 5.3 will need to be updated and recompiled with a supported version of MQ.
.
- If the MQ Java/JMS 5.2/5.3 jar files are embedded, then you will need to remove them from the application, then you need to install the MQ JMS Resource Adapter at 9.2 or 9.3 and customize your application server to use the newer MQ JMS code instead of the ancient one.
+++ end +++
[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"ARM Category":[{"code":"a8m0z00000008N4AAI","label":"Connectivity"},{"code":"a8m0z00000008MzAAI","label":"Security"}],"ARM Case Number":"TS013880126","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
18 October 2023
UID
ibm17028515