IZ01272: Potential security exposure in MQ client channels

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • A problem has been discovered which can enable an application
    to connect into a queue manager via a SVRCONN (MQ client)
    channel regardless of whether it is secured with a
    security exit or mcauser.
    
    This affects all distributed releases of MQ, prior to 6.0.2.2 or
    5.3 fix pack 14.
    
    
    Interim fixes for this APAR can be found under "Platform
    downloads" or "Download to all Fix Packs" here:
    http://www.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    

Local fix

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    Users of client channels. This affects all releases of MQ on
    all distributed platforms. The fix need only be applied to WMQ
    server systems. It does not need to be applied to systems with
    client only code.
    
    Platforms affected:
     All Distributed (iSeries, all Unix and Windows)
    ****************************************************************
    PROBLEM SUMMARY:
    A potential security exposure has been discovered which allows
    access through a client channel to a queue manager, even
    if the channel is protected with a security exit or mcauserid.
    No further details will be provided.
    

Problem conclusion

  • The potential security exposure is resolved with application of
    this APAR.
    
    The fix need only be applied to WMQ server systems. It does not
    need to be applied to systems with client only code.
    
    No further details will be provided.
    
    Related fixes for other platforms:
    
    APAR PK47908 - WebSphere MQ for z/OS V5.2, V5.3.0 and V5.3.1
    APAR PK47913 - WebSphere MQ for z/OS V6.0
    APAR SE29541 - WebSphere MQ for iSeries V5.3
    APAR SE29561 - WebSphere MQ for iSeries V6.0
    APAR IC53371 - WebSphere MQ for HP Nonstop Server V5.3
    APAR IC53372 - MQSeries for Compaq NonStop Kernel V5.1
    APAR PK50462 - MQSeries for VSE/ESA, V2.1.2
    APAR IC53387 - MQSeries for Tru64 V5.1
    
    IBM acknowledges the assistance of those users, including the
    Security Assurance Team of the National Australia Bank, who
    contributed to the diagnosis of the problem and to the testing
    of the resolution.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
                       v5.3
    Platform           Fix Pack 14
    --------           --------------------
    Windows            U200266
    AIX                U808477
    HP-UX (PA-RISC)    U808478
    Solaris (SPARC)    U808480
    iSeries            SI24366
    Linux (x86)        U808481
    Linux (zSeries)    U808483
    
                       v6.0
    Platform           Fix Pack 6.0.2.2
    --------           --------------------
    Windows            U200270
    AIX                U809895
    HP-UX (PA-RISC)    U809898
    HP-UX (Itanium)    U810084
    Solaris (SPARC)    U809913
    Solaris (x86-64)   U810362
    iSeries            SI27286
    Linux (x86)        U809950
    Linux (x86-64)     U810178
    Linux (zSeries)    U810081
    Linux (Power)      U810083
    Linux (s390x)      U810110
    
    The latest available maintenance can be obtained from
    'Websphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available, information on
    its planned availability can be found in 'Websphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ01272

  • Reported component name

    WMQ AIX V6

  • Reported component ID

    5724H7201

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2007-07-18

  • Closed date

    2007-08-02

  • Last modified date

    2009-01-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ AIX V6

  • Fixed component ID

    5724H7201

Applicable component levels

  • R600 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere MQ
APAR

Software version:

6.0

Reference #:

IZ01272

Modified date:

2009-01-28

Translate my page

Machine Translation

Content navigation