Security Bulletin: IBM Integration Bus and WebSphere Message Broker, upon installation, set incorrect permissions for an object on unix platforms ( CVE-2016-0394 )

Summary

IBM Integration Bus and WebSphere Message Broker, upon installation, set incorrect permissions for an object on unix platforms, which exposes it to an unintended actor.

Vulnerability Details

CVEID: CVE-2016-0394**
DESCRIPTION:** IBM Integration Bus and WebSphere Message broker set incorrect permissions for an object, which could allow a local attacker to manipulate certain files.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112643 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Integration Bus V9

WebSphere Message Broker V8

Remediation/Fixes

Product

| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V9| IT14845| The APAR is available in Fix Pack 9.0.0.6

<https://www-304.ibm.com/support/docview.wss?uid=swg24042598&gt;

WebSphere Message Broker| V8| IT14845| The APAR is available in Fix Pack 8.0.0.8
<https://www-304.ibm.com/support/docview.wss?uid=swg24042925&gt;

For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :

http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006308

Workarounds and Mitigations

To mitigate the problem with a current V8 or V9 fix pack installation on Unix platforms, you can run the following commands:

find <IIB install dir>/isadc -type d -exec chmod 755 {} ;
find <IIB install dir>/isadc -type f -exec chmod 644 {} ;
find <IIB install dir>/isadc -type f -name *.sh -print -exec chmod 755