IBM Support

Security Bulletin: IBM WebSphere MQ JMS client deserialization RCE vulnerability (CVE-2016-0360)

Security Bulletin


Summary

A potential vulnerability exists within the JMSObjectMessage class, which IBM WebSphere MQ provides as part of its Java Message Service implementation.

Vulnerability Details

JMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload. Deserialization of untrusted data can lead to security flaws; a remote attacker could use this to execute arbitrary code with the permissions of the application that is using a JMS ObjectMessage. Applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Applications which call toString() on a javax.jms.Message which has an underlying type of ObjectMessage can also be vulnerable, as this method performs deserialization. The MQ classes for JMS trace will call toString() on a javax.jms.Message object, and so are also vulnerable if the underlying type is an ObjectMessage.

CVEID: CVE-2016-0360
DESCRIPTION:
IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111930 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM MQ 9.0

IBM MQ 9.0.0.0 only

IBM WebSphere MQ 8.0

IBM WebSphere MQ 8.0.0.0 through 8.0.0.5 maintenance levels

IBM WebSphere MQ 7.5

IBM WebSphere MQ 7.5.0.0 through 7.5.0.7 maintenance levels

IBM WebSphere MQ 7.1

IBM WebSphere MQ 7.1.0.0 through 7.1.0.8 maintenance levels

IBM WebSphere MQ 7.0.1

IBM WebSphere MQ 7.0.1.0 through 7.0.1.14 maintenance levels

Remediation/Fixes

IBM MQ 9.0 (Long Term Support)

Apply 9.0.0.1 maintenance level when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization whitelisting.

IBM MQ 9.0 (Continuous Delivery)

Serialization whitelisting is available from IBM MQ 9.0.1. Upgrade to latest version of IBM MQ and follow instructions in the IBM Knowledge Center to apply ClassName whitelisting in JMS ObjectMessage.

IBM WebSphere MQ 8.0

Apply 8.0.0.6 maintenance level and follow instructions in the IBM Knowledge Center to apply ClassName whitelisting in JMS ObjectMessage.

IBM WebSphere MQ 7.5

Apply Fixpack 7.5.0.8 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization whitelisting.

IBM WebSphere MQ 7.1

Apply Fixpack 7.1.0.9 when available. In the interim apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization whitelisting.

IBM WebSphere MQ 7.0.1

Apply patch for APAR IT14385 and follow instructions in the patch readme to apply serialization whitelisting.

Workarounds and Mitigations

IBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognised senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v3 Guide
On-line Calculator v3

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Vulnerability reported to IBM by Matthias Kaiser at Code White (www.code-white.com)

Change History

06 January 2017: Original version published.
07 March 2017: Clarified Vulnerability Details with details of applications which could be vulnerable.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

A Japanese translation is available

Document information

More support for: WebSphere MQ
Java

Software version: 7.0.1, 7.1, 7.5, 8.0, 9.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition: All Editions

Reference #: 1983457

Modified date: 14 March 2017