Lucene search

K
ibmIBM1FAC00BF11D7E6B425277D2DE4E339194B1AAA9B92834420653D075D487484EF
HistoryFeb 11, 2021 - 6:01 p.m.

Security Bulletin: IBM Security Verify Information Queue does not hide the InfluxDB credentials when setting up the logs stack (CVE-2021-20410)

2021-02-1118:01:58
www.ibm.com
8

0.001 Low

EPSS

Percentile

23.7%

Summary

IBM Security Verify Information Queue (ISIQ) offers an optional logs stack to demonstrate logging and monitoring. The logs stack YAML file has parameters for defining an InfluxDB instance. The parameters include the InfluxDB user and password credentials. As of ISIQ v10.0.0, these credentials have been removed from the YAML file, and the customer must add the InfluxDB credentials after installation.

Vulnerability Details

CVEID:CVE-2021-20410
**DESCRIPTION:**IBM Security Verify Information Queue sends user credentials in plain clear text which can be read by an authenticated user using man in the middle techniques.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196190 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Verify Information Queue 1.0.6, 1.0.7

Remediation/Fixes

Download and install the latest IBM Security Verify Information Queue images (tagged at 10.0.0 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

None

0.001 Low

EPSS

Percentile

23.7%

Related for 1FAC00BF11D7E6B425277D2DE4E339194B1AAA9B92834420653D075D487484EF