IBM MQ Vulnerability  – When Trace is activated, Internet Pass-Thru writes sensitive data to trace files.

This morning IBM Announced a newly discovered IBM MQ vulnerability. The issue is apparently Mitre is still researching the issue and has not written a description of it as the CVE entry is still showing up as “** RESERVED **“.

According to IBM, the MQ vulnerability stores potentially sensitive information in trace files that could be read by a local user.  They give it a CVSS Base score of 5.1.  and it effects the following versions:
IBM MQ Internet Pass-Thru 2.1
IBM MQ Internet Pass-Thru 9.2 LTS
IBM MQ Internet Pass-Thru 9.2 CD

The fix depends on the version. For the IBM MQ vulnerability in IBM MQ Internet Pass-Thru 2.1, the fix is to apply FixPack

With this IBM Includes a Note “MQ IPT is provided on Solaris platforms only, for users with appropriate extended support entitlement. Contact IBM support to obtain the installation files for MQIPT on Solaris. Users of MQ IPT 2.1 on all other platforms should migrate to one of the MQ IPT 9.2 levels listed below (or later).”

For 9.2 LTS there is a interim fix for APAR IT41700

For Internet Pass-Thru 9.2 CD, the fix is to upgrade to IBM MQ Internet Pass-Thru LTS or IBM MQ Internet Pass-Thru 9.3.1 CD[…]

Click here to view original MQ Vulnerability notice at