Security Bulletin: IBM MQ Console is vulnerable to a Click-jacking attack. (CVE-2019-4285)

2019-12-1915:23:49

www.ibm.com

0.001 Low

EPSS

Percentile

28.9%

JSON

Summary

The Liberty Admin Center, which is part of IBM WebSphere Liberty Profile used to host the IBM MQ Console, could allow a remote attacker to hijack the clicking action of the victim.

Vulnerability Details

CVEID:CVE-2019-4285
**DESCRIPTION:**IBM WebSphere Application Server - Liberty Admin Center could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim’s click actions or launch other client-side browser attacks. IBM X-Force ID: 160513.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160513 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Affected Product(s)	Version(s)
IBM MQ	9.1 LTS
IBM MQ	9.1 CD

Remediation/Fixes

IBM MQ 9.1 LTS

Apply FixPack 9.1.0.4

IBM MQ 9.1 CD

Upgrade to version 9.1.4

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm mqeq9.1.0.0
ibm mqeq9.1.0.1
ibm mqeq9.1.0.2
ibm mqeq9.1.0.3
ibm mqeq9.1.1
ibm mqeq9.1.2
ibm mqeq9.1.3

Name	Operator	Version
ibm mq	eq	9.1.0.0
ibm mq	eq	9.1.0.1
ibm mq	eq	9.1.0.2
ibm mq	eq	9.1.0.3
ibm mq	eq	9.1.1
ibm mq	eq	9.1.2
ibm mq	eq	9.1.3

0.001 Low

EPSS

Percentile

28.9%

JSON

Related for 0A24F1AE407A578D3688D928BCDBD00C72449F28517EA675E01307B7641CD158