CVE-2016-0360 IBM CVE debrief

Who should care

Java application owners, JVM platform teams, and security teams running IBM WebSphere MQ JMS client libraries—especially where the application handles untrusted input or uses broad classpaths.

Technical summary

NVD classifies the issue as CWE-502 (deserialization of untrusted data) and assigns CVSS v3.0 9.8 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The affected IBM WebSphere MQ JMS client versions listed in the official record are 7.0.1, 7.1, 7.5, 8.0, and 9.0.

Defensive priority

Critical. The combination of unauthenticated network reachability, no user interaction, and high confidentiality/integrity/availability impact makes this a high-priority patching and exposure-reduction item.

Recommended defensive actions

• Inventory all applications and servers using IBM WebSphere MQ JMS client versions 7.0.1, 7.1, 7.5, 8.0, or 9.0.
• Apply IBM PSIRT remediation guidance from the vendor advisory and move to a remediated IBM-supported release.
• Reduce or eliminate deserialization of untrusted objects in affected application paths.
• Review Java classpaths for unnecessary or vulnerable classes and remove any that expand the attack surface.
• Limit exposure of affected client code to untrusted sources until remediation is complete.

Evidence notes

The official NVD record lists the affected IBM WebSphere MQ JMS client versions and classifies the weakness as CWE-502 with CVSS v3.0 9.8. The IBM vendor advisory referenced in NVD is the primary remediation source. The supplied corpus does not include exact fixed-version details, so the debrief avoids naming a specific patched release.

Official resources