APAR status
Closed as program error.
Error description
The mqweb server, which runs inside of a WebSphere Liberty application server, does not specify the SameSite cookie attribute. This means that LPTA cookies generated by the MQ Console and MQ REST API running inside the mqweb server are: - Either sent for both "same-site" and "cross-site" requests. - Or sent for "same-site" navigation requests, and "cross-site" top-level navigation requests. depending on the web browser being used.
Local fix
N/A
Problem summary
**************************************************************** USERS AFFECTED: This affects users of: - The IBM MQ Console - The IBM MQ Rest API Platforms affected: MultiPlatform **************************************************************** PROBLEM DESCRIPTION: Web browsers use the SameSite attribute to determine if a cookie should be sent with a request. The attribute can take one of three possible values: 1) SameSite=Strict When SameSite is set to "Strict", the cookie is only sent by a web browser if the site for the cookie matches the site that the browser is trying to access. 2) SameSite=Lax Here, a browser will send a cookie for both "same-site" requests (where the site for the cookie matches the site the browser is accessing) and "cross-site" top-level navigation requests. 3) SameSite=None If SameSite is set to "None", the browser sends the cookie for every request. 	 The mqweb server, which runs inside of WebSphere Liberty, did not set the SameSite attribute on LPTA security cookies that it generated. Depending on the web browser being used, this resulted the cookies being sent for: - Either "same-site" and "cross-site" requests (which is equivalent to SameSite=None) - Or "same-site" navigation requests, and "cross-site" top-level navigation requests (which is equivalent to SameSite=Lax). depending on the web browser being used.
Problem conclusion
The mqweb server has been updated to set the WebSphere Liberty security property: sameSiteCookie="strict". This ensures that any LPTA security cookies generated by the MQ Console and MQ REST API are only sent for "same-site" requests, where the site for the cookie matches the site that the browser is accessing. --------------------------------------------------------------- The fix is targeted for delivery in the following PTFs: Version Maintenance Level v9.1 LTS 9.1.0.12 v9.2 LTS 9.2.0.7 v9.x CD 9.2.1 The latest available maintenance can be obtained from 'WebSphere MQ Recommended Fixes' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037 If the maintenance level is not yet available information on its planned availability can be found in 'WebSphere MQ Planned Maintenance Release Dates' http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309 ---------------------------------------------------------------
Temporary fix
Comments
APAR Information
APAR number
IT36669
Reported component name
MQ BASE V9.2
Reported component ID
5724H7281
Reported release
920
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2021-04-22
Closed date
2022-07-13
Last modified date
2022-10-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
MQ BASE V9.2
Fixed component ID
5724H7281
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSYHRD","label":"IBM MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"920","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
11 October 2022