The first in a series of white papers discussing IBM WebSphere MQ security has been released by Martyn Ruks of MWR InfoSecurity.
IBM’s WebSphere MQ is a widely used and respected middleware application for handling messaging within an enterprise network. Its popularity and level of adoption arises from its robustness, scalability, functionality and compatibility with a wide range of platforms and applications. Whilst the software has a large number of security features the complexity of the environments within which it operates often results in it being poorly configured. This environmental complexity and the richness of the product’s feature set can make it an attractive target to attackers. In an era when “front-end” web applications and “back-end” databases are subject to increasingly intensive security testing the weakest link in an application can now often be found in the middleware.
Applications that are not well documented within penetration testing manuals and for which there is no well defined testing toolkit available can often be brushed over during a penetration test. However, a skilled attacker will not concern themselves with such limitations and could exploit any vulnerabilities that are present in the system with devastating effect. This paper documents the results of research and investigation into WebSphere MQ systems and introduces a methodology for assessing the security of the software product from the perspective of a penetration tester.
It has been discovered that WebSphere MQ environments can be secured but this is not a trivial process and a detailed understanding of the technology is required. The information included within this document can be used to understand the requirements of those people who are responsible for the security of such environments.