This episode of The Deep Queue contains news about the new MSoT stand-alone WMQ Explorer SupportPac, yet another payment processor data breach, updates to some items we’ve covered in the past and breaking news about a WebSphere MQ interim fix that many people will want to take a close look at.
One of the items in the podcast suggests some corrections to scripts listed in the “Using MQ Explorer as a read-only viewer” post over at the Hursley View on WebSphere MQ blog. I have excerpted a portion of the setmqaut commands from that post here:
setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p YOUR_USER_NAME +get +browse +inq setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'AMQ.**' -p YOUR_USER_NAME +all setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'MQAI.**' -p YOUR_USER_NAME +all
My recommendation is to delete the last two lines. When you create a dynamic queue, MQ grants you complete access to the queue. There is no need to pre-authorize that access. The effect of the two commands above is to grant you ALL access to ALL dynamic queues that match the AMQ.** or MQAI.** profiles.
So for example, if you have an application that uses AMQ.** as it’s dynamic queue name prefix, anyone using the rights granted above can read messages from your dynamic queue as they arrive, update them, and write them back to the queue in one transaction. Your application will never be aware of this man-in-the-middle attack and I have complete control over the responses your application sees.
Of course, the -p should be changed to a -g as well to force the user to explicitly select the group that is authorized. The -p option only works the way you expect on Windows servers, and then only if the principal is fully qualified, such as -p user@domain or -p user@host.
Links for this episode:
MSoT SupportPac – Stand-alone WebSphere MQ Explorer
Latest payment processor breach coverage from DataBreaches.net
Just weeks after Heartland breach, another payment processor said to be hit
And the rumor mills kick into higher gear
No, the unnamed processor breach is not another Heartland breach
US Department of Justice
Two plead guilty to defrauding trucking companies in multi-million dollar scheme that used Internet site
developerWorks article: Securing WebSphere MQ File Transfer Edition V7
Blog: A Hursley View on WebSphere MQ
Using WebSphere MQ Explorer as a read-only viewer
APAR IC58952: INCORRECT C and .NET CLIENT RC WHEN SCYEXIT CLOSES CHANNEL
APAR IC58878: MANAGED WMQ V7 .NET ERRORS USING SECURITY EXITS
WebSphere MQ planned maintenance release dates
Combined interim fix for Data Integrity APAR IC60063 and Security Vulnerability
APAR IC60063 – Data integrity exposure for circular logging queue managers
APAR IZ40824 – Security vulnerability