If your Java or JMS application specifies PasswordProtection=ALWAYS, and sets either USE_MQCSP_AUTHENTICATION_PROPERTY or USER_AUTHENTICATION_MQCSP to false, and uses a plaintext channel (no SSL/TLS), then IBM WebSphere MQ might send a plaintext password across a network connection.
CVE(s): CVE-2016-3052
Affected product(s) and affected version(s):
IBM WebSphere MQ V8.0
IBM WebSphere MQ V8.0.0.5 and previous maintenance levels.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2liIXeu
X-Force Database: http://ift.tt/2m8uDn5
The post IBM Security Bulletin: IBM WebSphere MQ Java clients might send a password in clear text (CVE-2016-3052) appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team http://ift.tt/2liIBEE
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.