CVE-2016-0360 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2016-0360?

CVE-2016-0360 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote attackers to execute arbitrary Java code on systems running vulnerable IBM WebSphere MQ JMS clients by exploiting insecure deserialization of untrusted data. It affects IBM WebSphere MQ JMS clients versions 7.0.1 through 9.0. Attackers can achieve remote code execution by manipulating the classpath.

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary Java code on systems running vulnerable IBM WebSphere MQ JMS clients by exploiting insecure deserialization of untrusted data. It affects IBM WebSphere MQ JMS clients versions 7.0.1 through 9.0. Attackers can achieve remote code execution by manipulating the classpath.

💻 Affected Systems

Products:

IBM WebSphere MQ JMS Client

Versions: 7.0.1, 7.1, 7.5, 8.0, 9.0

Operating Systems: All platforms running Java

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the JMS client classes that deserialize objects. Requires attacker to add malicious classes to classpath.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution as the application user, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Remote code execution leading to application compromise, data exfiltration, or installation of backdoors.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and input validation are implemented.

🌐 Internet-Facing: HIGH - If vulnerable clients are exposed to untrusted networks, they can be directly exploited.

🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability to move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Deserialization vulnerabilities are commonly exploited using public tools like ysoserial. Attack requires ability to influence classpath or send malicious serialized objects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes per IBM advisory: 7.0.1.13, 7.1.0.9, 7.5.0.8, 8.0.0.7, 9.0.0.2

Vendor Advisory: http://www-01.ibm.com/support/docview.wss?uid=swg21983457

Restart Required: Yes

Instructions:

1. Review IBM advisory 1983457. 2. Download appropriate fix pack for your version. 3. Apply fix following IBM installation procedures. 4. Restart affected services.

🔧 Temporary Workarounds

Restrict Classpath Access

linux

Prevent unauthorized users from adding classes to the JMS client classpath.

chmod 750 /path/to/websphere/lib/*
chown root:websphere /path/to/websphere/lib/*

Network Segmentation

linux

Isolate WebSphere MQ JMS clients from untrusted networks.

iptables -A INPUT -p tcp --dport 1414 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 1414 -j DROP

🧯 If You Can't Patch

Implement strict network controls to limit client exposure to trusted sources only.
Use Java Security Manager with restrictive policies to limit deserialization capabilities.

🔍 How to Verify

Check if Vulnerable:

Check WebSphere MQ version using 'dspmqver' command and compare against affected versions.

Check Version:

dspmqver

Verify Fix Applied:

Verify installed fix pack version matches IBM's patched versions using 'dspmqver' or check installed fix packs in WebSphere administration console.

📡 Detection & Monitoring

Log Indicators:

Java exceptions related to deserialization in WebSphere logs
Unexpected class loading events
Unusual process execution from WebSphere JVM

Network Indicators:

Unusual connections to WebSphere MQ ports (1414, 1415) from untrusted sources
Large serialized objects being sent to JMS endpoints

SIEM Query:

source="websphere.log" AND ("ClassNotFoundException" OR "InvalidClassException" OR "NotSerializableException")

📊 Metadata

CVE ID: CVE-2016-0360

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: February 15, 2017

Last Updated: April 20, 2025

🔗 References

http://www-01.ibm.com/support/docview.wss?uid=swg21983457 Vendor Advisory
http://www.securityfocus.com/bid/95317 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1037561
http://www-01.ibm.com/support/docview.wss?uid=swg21983457 Vendor Advisory
http://www.securityfocus.com/bid/95317 Third Party Advisory,VDB Entry
http://www.securitytracker.com/id/1037561

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-0360, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Websphere Mq Jms by Ibm

Websphere Mq Jms by Ibm

Websphere Mq Jms by Ibm

Websphere Mq Jms by Ibm

Websphere Mq Jms by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Classpath Access

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities