IBM Integration Bus and WebSphere Message Broker, upon installation, set incorrect permissions for an object on unix platforms, which exposes it to an unintended actor.
CVEID: CVE-2016-0394**
DESCRIPTION:** IBM Integration Bus and WebSphere Message broker set incorrect permissions for an object, which could allow a local attacker to manipulate certain files.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112643 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
IBM Integration Bus V9
WebSphere Message Broker V8
Product
| VRMF|APAR|Remediation/Fix
—|—|—|—
IBM Integration Bus| V9| IT14845| The APAR is available in Fix Pack 9.0.0.6
<https://www-304.ibm.com/support/docview.wss?uid=swg24042598>
WebSphere Message Broker| V8| IT14845| The APAR is available in Fix Pack 8.0.0.8
<https://www-304.ibm.com/support/docview.wss?uid=swg24042925>
For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
The planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at :
http://www.ibm.com/support/docview.wss?rs=849&uid=swg27006308
To mitigate the problem with a current V8 or V9 fix pack installation on Unix platforms, you can run the following commands:
find <IIB install dir>/isadc -type d -exec chmod 755 {} ;
find <IIB install dir>/isadc -type f -exec chmod 644 {} ;
find <IIB install dir>/isadc -type f -name *.sh -print -exec chmod 755
CPE | Name | Operator | Version |
---|---|---|---|
ibm integration bus | eq | 9.0 | |
websphere message broker | eq | 8.0 |