In mid-2022, IBM quietly patched a sneaky bug, now known as CVE-2022-35719, in their IBM MQ Internet Pass-Thru (IPT). This vulnerability affects versions 2.1, 9.2 LTS, and 9.2 CD, and revolves around trace files potentially exposing passwords, messages, and other sensitive info to local users.
In this article, we’ll break down what happened, walk through some demonstration code, and explain why this bug matters, even if it doesn’t let someone take over your system outright.
What is IBM MQ Internet Pass-Thru (IPT)?
IBM MQ IPT is a proxy application, usually deployed in DMZs, that forwards queue manager traffic between internal and external networks. It's widely used for business integrations, securely relaying vital data between business partners and cloud services.
The Vulnerability at a Glance
When IPT runs with trace logging enabled (usually for debugging or troubleshooting), it saves detailed info about the traffic it’s forwarding to trace files on the local file system.
The bug: Under some circumstances, these trace files may inadvertently include sensitive information like:
MQ message bodies and headers that might include financial, personal, or proprietary data.
These files are accessible to any user on the same server with permissions to read the directory, meaning even non-admin users or malware could quietly steal this information simply by scanning the filesystem.
IPT 9.2 CD
Fixed in:
9.2.5 (CD)
See the full IBM security bulletin.
How the Vulnerability Works – An Example
Let’s look at a simplified example of how this issue could be exploited.
An admin runs IPT with trace enabled like this
java -jar ipt.jar -trace IPTTrace.log
2. Password and Sensitive Data Pass Through
A user, application, or automation script connects through IPT using a username/password.
A snippet from a real-world trace file might look like
2022-05-15 12:05:33.001 [Connection] Source=10.10.10.12 Dest=QueueManager1
User authentication: user=finance_admin password=s3cr3t!
Received MQ message:
<MQRFH2><usr><order>Buy 100 XYZ shares</order></usr></MQRFH2>
4. Any Local User Can Read the Trace
If the trace directory is world-readable (e.g. /var/log/ipt permissions set to 755), or a misconfigured application runs IPT under an account shared with other users, anyone logged into the system could execute something like this:
cat /var/log/ipt/IPTTrace.log
# or
grep 'password=' /var/log/ipt/IPTTrace.log
Why is This a Problem?
- Insider Threat: Any internal user with access to IPT logs could gather passwords or proprietary messages, then use or sell them.
- Malware: Attackers who compromise a simple user account could dump these logs and scrape the info for lateral movement.
- PII/PHI Leak: If your business deals with regulated or personal data, you may be accidentally logging it and exposing it to risk.
- Audit Failures: Trace files containing sensitive info may violate your own compliance rules or data-retention policies.
Real-World Exploit Scenario
Here’s a simple Python script that a local attacker might use to scan for passwords in IPT trace files:
import os
trace_path = "/var/log/ipt/"
for filename in os.listdir(trace_path):
with open(os.path.join(trace_path, filename), 'r') as f:
for line in f:
if 'password=' in line or 'User authentication:' in line:
print(f"[Sensitive] {filename}: {line.strip()}")
Just running this script on the server would dump all lines with cleartext passwords or other sensitive credentials.
TL;DR: Update Now!
- Apply IBM’s patches as soon as possible (download here), which change trace file logic to avoid sensitive info leaks.
`bash
chmod 700 /var/log/ipt
`
- Avoid enabling trace logging in production unless absolutely necessary, and disable it as soon as you’re finished troubleshooting.
`bash
shred -u /var/log/ipt/IPTTrace.log
Key Takeaways
- CVE-2022-35719 is not remote code execution, but it’s serious for environments where sensitive data passes through IPT.
- Don’t rely solely on trust – always harden and monitor logging paths, and keep your MQ IPT up to date.
- If you’ve been running trace logging, review old logs for leaks and sanitize or securely delete them.
References (Official Links)
- IBM Security Bulletin for CVE-2022-35719
- IBM MQ Internet Pass-Thru Documentation
Stay secure! If your MQ Internet Pass-Thru is below the fixed version and you use trace, update and clean your logs as soon as you can.
Timeline
Published on: 11/14/2022 17:15:00 UTC
Last modified on: 11/16/2022 21:04:00 UTC