The Deep Queue – Episode #8: The good news and the bad news

This episode of The Deep Queue contains news about the new MSoT stand-alone WMQ Explorer SupportPac, yet another payment processor data breach, updates to some items we’ve covered in the past and breaking news about a WebSphere MQ interim fix that many people will want to take a close look at.

One of the items in the podcast suggests some corrections to scripts listed in the “Using MQ Explorer as a read-only viewer” post over at the Hursley View on WebSphere MQ blog.  I have excerpted a portion of the setmqaut commands from that post here:


setmqaut -m YOUR_QUEUE_MANAGER -t q -n SYSTEM.DEFAULT.MODEL.QUEUE -p YOUR_USER_NAME +get +browse +inq
setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'AMQ.**' -p YOUR_USER_NAME +all
setmqaut -m YOUR_QUEUE_MANAGER -t q -n 'MQAI.**' -p YOUR_USER_NAME +all

My recommendation is to delete the last two lines.  When you create a dynamic queue, MQ grants you complete access to the queue.  There is no need to pre-authorize that access.  The effect of the two commands above is to grant you ALL access to ALL dynamic queues that match the AMQ.** or MQAI.** profiles.

So for example, if you have an application that uses AMQ.** as it’s dynamic queue name prefix, anyone using the rights granted above can read messages from your dynamic queue as they arrive, update them, and write them back to the queue in one transaction.  Your application will never be aware of this man-in-the-middle attack and I have complete control over the responses your application sees.

Of course, the -p should be changed to a -g as well to force the user to explicitly select the group that is authorized. The -p option only works the way you expect on Windows servers, and then only if the principal is fully qualified, such as -p user@domain or -p user@host.

Links for this episode:

MSoT SupportPac – Stand-alone WebSphere MQ Explorer
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg24021041

Latest payment processor breach coverage from DataBreaches.net

Just weeks after Heartland breach, another payment processor said to be hit
http://www.databreaches.net/?p=1728

And the rumor mills kick into higher gear
http://www.databreaches.net/?p=1756

No, the unnamed processor breach is not another Heartland breach
http://www.databreaches.net/?p=1807

US Department of Justice
Two plead guilty to defrauding trucking companies in multi-million dollar scheme that used Internet site
http://www.usdoj.gov/criminal/cybercrime/lakesPlea.pdf

developerWorks article: Securing WebSphere MQ File Transfer Edition V7
http://www.ibm.com/developerworks/websphere/library/techarticles/0902_wyatt/0902_wyatt.html

Blog: A Hursley View on WebSphere MQ
Using WebSphere MQ Explorer as a read-only viewer
http://hursleyonwmq.wordpress.com/2007/02/08/using-websphere-mq-explorer-as-a-read-only-viewer/

APAR IC58952: INCORRECT C and .NET CLIENT RC WHEN SCYEXIT CLOSES CHANNEL
http://www-01.ibm.com/support/docview.wss?uid=swg1IC58952

APAR IC58878: MANAGED WMQ V7 .NET ERRORS USING SECURITY EXITS
http://www-01.ibm.com/support/docview.wss?uid=swg1IC58878

WebSphere MQ planned maintenance release dates
http://www-01.ibm.com/support/docview.wss?rs=171&uid=swg27006309

Combined interim fix for Data Integrity APAR IC60063 and Security Vulnerability
http://www-01.ibm.com/support/docview.wss?uid=swg24022268

APAR IC60063 – Data integrity exposure for circular logging queue managers
http://www.ibm.com/support/docview.wss?uid=swg1IC60063

APAR IZ40824 – Security vulnerability
http://xforce.iss.net/xforce/xfdb/48529

This entry was posted in DeepQueue, Errata, Podcast, Publications, WMQ, WMQ FTE, WMQ Security and tagged , , , , , , , , . Bookmark the permalink.

One Response to The Deep Queue – Episode #8: The good news and the bad news

  1. Pingback: Using WebSphere MQ Explorer as a read-only viewer « a Hursley view on WebSphere MQ

Leave a Reply