IBM Security Bulletin: IBM WebSphere MQ Java clients might send a password in clear text (CVE-2016-3052)

If your Java or JMS application specifies PasswordProtection=ALWAYS, and sets either USE_MQCSP_AUTHENTICATION_PROPERTY or USER_AUTHENTICATION_MQCSP to false, and uses a plaintext channel (no SSL/TLS), then IBM WebSphere MQ might send a plaintext password across a network connection.

CVE(s): CVE-2016-3052

Affected product(s) and affected version(s):

IBM WebSphere MQ V8.0

IBM WebSphere MQ V8.0.0.5 and previous maintenance levels.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2liIXeu
X-Force Database: http://ift.tt/2m8uDn5

The post IBM Security Bulletin: IBM WebSphere MQ Java clients might send a password in clear text (CVE-2016-3052) appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2liIBEE