IBM Support

Security Bulletin: IBM WebSphere MQ JMS client deserialization RCE vulnerability (CVE-2016-0360)

Security Bulletin


Summary

A potential vulnerability exists within the JMSObjectMessage class, which IBM WebSphere MQ provides as part of its Java Message Service implementation.

Vulnerability Details

JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload. Deserialization of untrusted data can lead to security flaws; a remote attacker could use this to execute arbitrary code with the permissions of the application that is using a JMS ObjectMessage. Applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Applications which call toString() on a javax.jms.Message which has an underlying type of ObjectMessage can also be vulnerable, as this method performs deserialization. The MQ classes for JMS trace will call toString() on a javax.jms.Message object, and so are also vulnerable if the underlying type is an ObjectMessage.

CVEID: CVE-2016-0360
DESCRIPTION: IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM MQ 9.0

IBM MQ 9.0.0.0 only

IBM WebSphere MQ 8.0

IBM WebSphere MQ 8.0.0.0 through 8.0.0.5 maintenance levels

IBM WebSphere MQ 7.5

IBM WebSphere MQ 7.5.0.0 through 7.5.0.7 maintenance levels

IBM WebSphere MQ 7.1

IBM WebSphere MQ 7.1.0.0 through 7.1.0.8 maintenance levels

IBM WebSphere MQ 7.0.1

IBM WebSphere MQ 7.0.1.0 through 7.0.1.14 maintenance levels

Remediation/Fixes

IBM MQ 9.0 (Long Term Support)

Apply 9.0.0.1 maintenance level when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

IBM MQ 9.0 (Continuous Delivery)

Serialization allowlisting is available from IBM MQ 9.0.1. Upgrade to latest version of IBM MQ and follow instructions in the IBM Knowledge Center to apply ClassName allowlisting in JMS ObjectMessage.

IBM WebSphere MQ 8.0

Apply 8.0.0.6 maintenance level and follow instructions in the IBM Knowledge Center to apply ClassName allowlisting in JMS ObjectMessage.

IBM WebSphere MQ 7.5

Apply Fixpack 7.5.0.8 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

IBM WebSphere MQ 7.1

Apply Fixpack 7.1.0.9 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

IBM WebSphere MQ 7.0.1

Apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization allowlisting.

Workarounds and Mitigations

IBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognised senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Vulnerability reported to IBM by Matthias Kaiser at Code White (www.code-white.com)

Change History

06 January 2017: Original version published.
07 March 2017: Clarified Vulnerability Details with details of applications which could be vulnerable.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Java","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.0;8.0;7.5;7.1;7.0.1","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21983457

Page Feedback