IBM3EE317F92F5F7D912B6AAEE393A660C90254041FB9B301C344E0C7837BD8B3CASecurity Bulletin: IBM Common Licensing is affected by a Weak Password Policy vulnerability (CVE-2024-40697)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
32.6%
Summary
IBM LKS Administration and Reporting Tool and Administration Agent does not require that users should have passwords of defined length by default, which makes it easier for attackers to compromise user accounts. This has been addressed in remediation section.
Vulnerability Details
CVEID:CVE-2024-40697
**DESCRIPTION:**IBM Common Licensing does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/297895 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Common Licensing | Agent 9.0 |
| IBM Common Licensing | ART 9.0 |
Remediation/Fixes
Download and apply Interim Fix Pack IBM_Common_Licensing_ICL_9.0.0.1 from Fix Central
Users are strongly advised to update to the latest version (IBM Common Licensing 9.0.0.1) to mitigate any potential risks associated with this vulnerability.
Workarounds and Mitigations
None
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| ibm | common_licensing | 9.0 | cpe:2.3:a:ibm:common_licensing:9.0:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
32.6%