IC78034: WEBSPHERE MQ OVMS V6 NON-MQM USERS ARE ABLE TO SUCCESSFULLY ISSUE WEBSPHERE MQ CONTROL COMMANDS
Closed as program error.
It is possible for a low level user to be able to successfully issue some of the WebSphere MQ control commands, for instance ENDMQCSV and ENDMQLSR when they should otherwise not be permitted to. Other WebSphere MQ control commands are correctly restricted.
WMQ V6 on OVMS could allow local non-privileged users to execute some MQ control commands on the system. This happens when a MQM group default rights is set on the system. By logging in as a low privileged user (without granting the MQM RESOURCE IDENTIFIER), an attacker could exploit this vulnerability to execute arbitrary MQ control commands on the system. This issue is caused due to allowing these low-privileged users to run MQ applications successfully, which is enabled through by executing OVMS commands.
The fix for this APAR is designed to verify whether the granted MQM group rights is available in the UAF system authorization file for that particular user. This check happens as part of the initialization process when executing any MQ control commands. . The fix of this APAR is going to be incorporated in next fixpack release WMQ-V188.8.131.52on OpenVMS Alpha and Ia64.
In-line with WMQ on UNIX, the NON-MQM users are not allowed to run most of the MQ control commands on OPENVMS. . For version WMQ V6 ECO-3: - Consult IBM support and get the fix to be installed. . For version WMQ V6 ECO-2: - Consult IBM support and get the fix to be installed. . For versions prior to WMQ V6 ECO-2: -Upgrade to WMQ V6 ECO-2, then get the fix as mentioned above .
Reported component name
MQSERIES OVMS I
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
MQSERIES OVMS I
Fixed component ID
Applicable component levels