Session ID Prediction Vulnerability in IBM WebSphere MQ
CVE-2015-0173

Currently unrated

Key Information:

Vendor: IBM
Status: Websphere MQ Internet Pass Thru
Vendor: CVE Published:; 28 June 2015

Summary

In IBM WebSphere MQ, specifically in the Internet Pass-Thru (IPT) versions prior to 2.1.0.2, a flaw exists in the HTTP connection-management functionality. When HTTPS is not enabled, the application fails to properly generate unique MQIPT Session IDs. This vulnerability allows remote attackers to predict Session ID values, enabling them to evade intended restrictions on MQ message data, potentially compromising sensitive communications.

References

http://www-01.ibm.com/support/docview.wss?uid=swg21699547

x_refsource_CONFIRM

http://www.securitytracker.com/id/1032630

vdb-entryx_refsource_SECTRACK

Timeline

Vulnerability published
Jun 28, 2015
Vulnerability Reserved
Nov 18, 2014