Security Bulletin: IBM Security Verify Information Queue does not hide the InfluxDB credentials when setting up the logs stack (CVE-2021-20410)

Summary

IBM Security Verify Information Queue (ISIQ) offers an optional logs stack to demonstrate logging and monitoring. The logs stack YAML file has parameters for defining an InfluxDB instance. The parameters include the InfluxDB user and password credentials. As of ISIQ v10.0.0, these credentials have been removed from the YAML file, and the customer must add the InfluxDB credentials after installation.

Vulnerability Details

CVEID:CVE-2021-20410
**DESCRIPTION:**IBM Security Verify Information Queue sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Download and install the latest IBM Security Verify Information Queue images (tagged at 10.0.0 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

None