Security Bulletin: IBM MQ is vulnerable to an issue in follow-redirects due to open redirect (CVE-2023-26159)

Summary

IBM MQ has addressed an issue in follow-redirects. Follow-redirects is used by IBM MQ as part of the MQ Console.

Vulnerability Details

CVEID:CVE-2023-26159
**DESCRIPTION:**follow-redirects could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability using a specially crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/278622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

The following installable MQ components are affected by the vulnerability:

- REST API and Console

If you are running any of these listed components, please apply the remediation/fixes as described below. For more information on the definitions of components used in this list see <https://www.ibm.com/support/pages/installable-component-names-used-ibm-mq-security-bulletins&gt;

Remediation/Fixes

This issue was addressed under APAR IT45253

IBM MQ version 9.2 LTS

Apply Fix Pack 9.2.0.25

IBM MQ version 9.3 LTS

Apply Cumulative Security Update 9.3.0.17

IBM MQ version 9.3 CD

Upgrade to IBM MQ version 9.3.5 CD

Workarounds and Mitigations

None