MQSeries.net :: View topic - MQ/Java client

dutchman · Posted: Wed Feb 20, 2002 7:36 am Post subject:

The following situation has arisen which is giving me great cause for
concern. If I am right, then I think we have a large security hole in
MQSeries - I would love to be proved wrong.

The scenario occurs where a Java client attaches to a SVRCONN channel. If
you donâ€™t use the MQEnvironment.userID variable, and you don't hardcode
the MCAUSER field as part of the SVRCONN channel, then the userid is
determined by the userid of the listener at the server end. This is â€œmqmâ€ on
Unix machines and â€œMUSR_MQADMINâ€ on NT. This means that any Java program has
complete access to the MQ server queue manager including the ability to send
PCF commands. This does not happen to MQ 'C' clients.

Even if the MQEnvironment.userID value is provided, this is simply a String
variable and could easily be set to â€œmqmâ€ or any other valid userid by a
rogue programmer.

So it would appear that "MQ out of the box" would allow anybody to connect
to a server via a Java client (if you haven't already got them - the code is
freely downloadable from the IBM web site). This includes connecting via the
â€œSYSTEM.DEF.SVRCONNâ€ which is created automatically when MQ is installed and
"SYSTEM.ADMIN.SVRCONN". Yes, it is good practice to remove SYSTEM.DEF.SVRCONN.

The only way out of this that I can see is to provide channel security exits
at BOTH ends of the client channel to do proper authentication. So far so
good, butâ€¦

MQSI uses Java client connections for the â€œConfig Managerâ€ and it doesnâ€™t
allow for security exits. This means that even if you plug the holes
detailed above, there will still be a pipeline into the server via MQSIâ€™s
channels AND I DONâ€™T SEE HOW TO PLUG THIS ONE!

BTW - the same applies of course to any other package which uses client
connections and doesnâ€™t allow for security exits.

Anyone got any ideas?