IC78034: WEBSPHERE MQ OVMS V6 NON-MQM USERS ARE ABLE TO SUCCESSFULLY ISSUE WEBSPHERE MQ CONTROL COMMANDS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • It is possible for a low level user to be able to successfully
    issue some of the WebSphere MQ control commands, for instance
    ENDMQCSV and ENDMQLSR when they should otherwise not be
    permitted to. Other WebSphere MQ control commands are correctly
    restricted.
    

Local fix

Problem summary

  • WMQ V6 on OVMS could allow local non-privileged users to
    execute some MQ control commands on the system. This
    happens when a MQM group default rights is set on the
    system. By logging in as a low privileged user (without
    granting the MQM RESOURCE IDENTIFIER), an attacker could
    exploit this vulnerability to execute arbitrary MQ control
    commands on the system.  This issue is caused due to
    allowing these low-privileged users to run MQ applications
    successfully, which is enabled through by executing OVMS
    commands.
    

Problem conclusion

  • The fix for this APAR is designed to verify whether the
    granted MQM group rights is available in the UAF system
    authorization file for that particular user. This check
    happens as part of the initialization process when
    executing any MQ  control commands.
    .
    The fix of this APAR is going to be incorporated in next
    fixpack release WMQ-V6.0.2.11on OpenVMS Alpha and Ia64.
    

Temporary fix

  • In-line with WMQ on UNIX, the NON-MQM users are not allowed
    to run most of the MQ control commands on OPENVMS.
    .
    For version WMQ V6 ECO-3:
    - Consult IBM support and get the fix to be installed.
    .
    For version WMQ V6 ECO-2:
    - Consult IBM support and get the fix to be installed.
    .
    For versions prior to WMQ V6 ECO-2:
    -Upgrade to WMQ V6 ECO-2, then get the fix as mentioned above
    .
    

Comments

APAR Information

  • APAR number

    IC78034

  • Reported component name

    MQSERIES OVMS I

  • Reported component ID

    5724A3802

  • Reported release

    600

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-08-10

  • Closed date

    2011-11-14

  • Last modified date

    2011-12-21

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    MQSERIES OVMS I

  • Fixed component ID

    5724A3802

Applicable component levels

  • R600 PSY

       UP



Document information


More support for:

WebSphere MQ
APAR

Software version:

6.0

Reference #:

IC78034

Modified date:

2011-12-21

Translate my page

Content navigation