Skip to main content

Software  >  WebSphere  >  WebSphere MQ Family  >  

Potential security exposure in secured client channels

 Flash (Alert)
 
Abstract
APAR IZ01272 - Potential security exposure in WebSphere MQ client channels
 
Content
A problem has been discovered which can enable an application to connect into a queue manager via a SVRCONN (MQ client) channel regardless of whether it is secured with a security exit or an MCA Userid (MCAUSER).
This affects all distributed releases of WebSphere MQ, prior to 6.0.2.2 or 5.3 fix pack 14.

Download and apply the Interim fixes for APAR IZ01272.

Interim fixes for APAR IZ01272 can be found under "Platform downloads" or "Download to all Fix Packs" here:

http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037

Related fixes for other platforms:

APAR SE29541 - WebSphere MQ for i/Series V5.3
APAR SE29561 - WebSphere MQ for i/Series V6.0
APAR PK47908 - WebSphere MQ for z/OS V5.2, V5.3.0 and V5.3.1
APAR PK47913 - WebSphere MQ for z/OS V6.0
APAR IC53371 - WebSphere MQ for HP Nonstop Server V5.3
APAR IC53372 - MQSeries for Compaq NonStop Kernel V5.1
APAR PK50462 - MQSeries for VSE/ESA™ V2.1.2
APAR IC53387 - MQSeries for Tru64 V5.1

No further details will be provided.

IBM acknowledges the assistance of those users, including the
Security Assurance Team of the National Australia Bank, who
contributed to the diagnosis of the problem and to the testing
of the resolution.

Best practices for securing WebSphere MQ server-client networks

This is to remind licensed users that best practice recommendations for securing WebSphere MQ server-client networks include ensuring that :
  • Queue managers are secured, so that only authorized users are able to connect. SSL, or (at a minimum) a security exit can be used to better secure server-connection channels.
  • Only genuine WebSphere MQ code and applications are in their networks.
  • System, WebSphere MQ and queue manager logs are monitored to check for error messages or FDCs.
  • Firewalls are used to restrict access to unauthorized users attempting to connect to internal systems. (This is general good practice and applies to all network bound programs).
These are standard MQ best practices, and are not new.
 
 
Product Alias/Synonym
WMQ MQ
 
 
 

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.
Rate this page
Please take a moment to complete this form to help us better serve you.
This material provides me with the information I need.




This material is clear and easy to understand.




Did the information help you to achieve your goal?
What updates, improvements, or related information would you like to see in this document?
Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.
Input the verification number to submit feedback:
Document information
 Product categories:
 Software
 Business Integration and Optimization
 Application Integration and Connectivity
 WebSphere MQ
 APAR / Maintenance
 Operating system(s):
  AIX, HP-UX, Linux, OS/390, OS/400, OpenVMS, Solaris, TRU64 UNIX, Tandem NSK, VSE, Windows, z/OS
 Software version:
  5.3, 6.0, 6.0.1, 6.0.1.1, 6.0.2, 6.0.2.1, 6.0.2.2
 Software edition:
  All Editions
 Reference #:
  1266976
 IBM Group:
 Software Group
 Modified date:
 2007-08-06

Translate My Page
 
 

Rate this page

Help us improve this page. Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.