Properties Missing Ssl Configuration
Description
Detects when IBM MQ connections have SSL/TLS encryption explicitly disabled in Java properties files. This creates an insecure communication channel where messages could be intercepted or tampered with.
Detection Strategy
• Check Java properties files for the 'ibm.mq.use_ssl' configuration key
• Flag as vulnerable if this property is explicitly set to 'false'
• Report vulnerability with location of the insecure setting in the properties file
Vulnerable code example
ibm.mq.use_ssl=true
# Vulnerable: SSL explicitly disabled, exposing MQ communications
ibm.mq.use_ssl=false
# Vulnerable: Weak cipher suite using CBC mode
ibm.mq.cipher.suite=TLS_RSA_WITH_AES_128_CBC_SHA256
...✅ Secure code example
# Enable SSL/TLS encryption
ibm.mq.use_ssl=true
# Use modern TLS version
ibm.mq.ssl.protocol=TLSv1.3
# Use strong cipher suite with perfect forward secrecy (ECDHE) and GCM mode
ibm.mq.cipher.suite=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.