WebSphere MQ Security Bulletin: multiple vulnerabilities in GSKit component

Flash (Alert)


WebSphere MQ Security Vulnerability: There is the potential for invalid SSL or TLS record data to be injected by an attacker to perform a denial of service attack. There is also potential for a malicious certificate authority (CA) certificate to be injected into keystore via an import of a PKCS#12 file without authentication.



CVE ID: CVE-2012-2191, CVE-2012-2203

There are two security vulnerabilities in the GSKit component of WebSphere MQ. The vulnerabilities can only be exploited if the GSKit component of MQ is being used: (a) for certificate management, or (b) to implement SSL or TLS enabled channels.

CVE-2012-2191 (CVSS 5)
An invalid data size in either SSL or TLS records could lead to segmentation violation in GSKit.

CVE-2012-2203 (CVSS 5.8)
RFC 5208 states that the message authentication code (MAC) for certificate data in PKCS#12 files is optional. A PKCS#12 file could be modified prior to being imported into GSKit keystores to contain a malicious CA certificate without having a MAC.


CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Certain versions of the GSKit component of WebSphere MQ are affected, refer to the remediation section for more information.

  • WebSphere MQ 7.0.1 on all platforms (except IBM i and z/OS)
  • WebSphere MQ 7.1 on all platforms (except IBM i and z/OS)
  • WebSphere MQ 7.5 on all platforms (except IBM i and z/OS)

Fixes for both these vulnerabilities are included in GSKit versions and and later, provided by MQ fix packs.

WebSphere MQ 7.0.1
Apply fix pack or later. See http://www.ibm.com/support/docview.wss?rs=171&uid=swg24033008

WebSphere MQ 7.1
Apply fix pack when available. In the interim apply APAR IC87061

WebSphere MQ 7.5
Apply fix pack when available. In the interim apply APAR IC87061

None known.

Utilize filesystem security to limit write access to PKCS#12 files to avoid a malicious CA certificate from being injected.

Complete CVSS Guide ( http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 ( http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
CVE-2012-2191 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2191)
CVE-2012-2203 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2203)
WebSphere MQ ( http://www-01.ibm.com/support/docview.wss?uid=swg21601150)

22nd October 2012: Original Copy Published

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

WebSphere MQ WMQ

Document information

More support for:

WebSphere MQ

Software version:

7.0.1,,,,,,,,, 7.1,, 7.5

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Linux Red Hat - i/p Series, Linux Red Hat - xSeries, Linux Red Hat - zSeries, Linux SUSE - xSeries, Linux SUSE - zSeries, Linux SuSE - i/p Series, Linux iSeries, Linux on Power, Linux zSeries, Solaris, UNIX, Windows

Software edition:

All Editions

Reference #:


Modified date:


Translate my page

Content navigation