U radu programskog paketa IBM WebSphere MQ otkriven je sigurnosni nedostatak. Riječ je o paketu koji osigurava pouzdanu integraciju za aplikacije i web servise, omogućuje pouzdanu komunikaciju i sigurnu isporuku između različitih sustava i platformi. Nedostatak se očituje u prepisivanju spremnika na gomili prilikom obrade poruka u redu čekanja (eng. queue). Lokalni ga napadač može iskoristiti za pokretanje proizvoljnog programskog koda ili izvođenje DoS napada, umetanjem posebno oblikovane, neispravne poruke. Svim se korisnicima savjetuje nadogradnja.

Secunia Advisory SA42941
IBM WebSphere MQ Invalid Message Buffer Overflow Vulnerability
Release Date 	2011-01-17
  	 
Popularity 	11 views
Comments 	0 comments

Criticality level 	Less criticalLess critical
Impact 	System access
Where 	From local network
Authentication level 	Available in Customer Area
  	 
Report reliability 	Available in Customer Area
Solution Status 	Vendor Patch
  	 
Systems affected 	Available in Customer Area
Approve distribution 	Available in Customer Area
  	 
Software:	
	IBM WebSphere MQ 6.x
	IBM WebSphere MQ 7.x

Secunia CVSS Score 	Available in Customer Area
CVE Reference(s) 	CVE-2011-0314 CVSS available in Customer Area
	   	

Description
A vulnerability has been reported in IBM WebSphere MQ, which can be exploited by malicious users to potentially compromise a vulnerable system.

The vulnerability is caused due to an error while processing messages in the queue and can be exploited to cause a heap-based buffer overflow by inserting a specially crafted, invalid message.

Successful exploitation may allow execution of arbitrary code.

Solution
Apply APAR IZ81294 or update to versions 6.0.2.11 or 7.0.1.5 when available.

Provided and/or discovered by
Reported by the vendor.

Original Advisory
IBM (IZ81294):
https://www-304.ibm.com/support/docview.wss?uid=swg21254675
http://xforce.iss.net/xforce/xfdb/64550