CVE-2023-28513: 
IBM WebSphere MQ vulnerability analysis and mitigation

IBM MQ and IBM MQ Appliance versions (9.0 LTS, 9.1 LTS, 9.2 LTS, 9.3 LTS, 9.2 CD, and 9.3 CD) are affected by a denial of service vulnerability (CVE-2023-28513) caused by an error in processing messages under certain configurations. The vulnerability was disclosed on June 28, 2023 (IBM Advisory, IBM Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 HIGH by NIST (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), while IBM rated it with a CVSS score of 5.9 MEDIUM (Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). The difference in scoring primarily relates to the Attack Complexity assessment, where IBM considers it High while NIST assesses it as Low (NVD).

When successfully exploited, this vulnerability can result in a denial of service attack affecting the availability of the IBM MQ system. The vulnerability specifically impacts the server component of the affected products (IBM Advisory).

IBM has released fixes for all affected versions: IBM MQ 9.0 LTS (update 9.0.0.18), 9.1 LTS (update 9.1.0.16), 9.2 LTS (fix pack 9.2.0.15), 9.3 LTS (update 9.3.0.6), and for CD versions, upgrade to IBM MQ Version 9.3.3 is recommended. For MQ Appliance, specific firmware updates are available: 9.2.0.15 fix pack or later for 9.2 LTS, 9.2.5.8 or later for 9.2 CD, 9.3.0.6 or later for 9.3 LTS, and version 9.3.3 or later for 9.3 CD. No workarounds are available (IBM Advisory, IBM Advisory).