Security Bulletin: Vulnerability Identified in Cloud Pak System (CVE-2020-4914)

Summary

Invalidate session vulnerability identified in IBM Cloud Pak System UI and Rest API at logout. IBM Cloud Pak System has addressed vulnerability.

Vulnerability Details

CVEID:CVE-2020-4914
**DESCRIPTION:**IBM Cloud Pak System does not invalidate session after logout which could allow a local user to impersonate another user on the system.
CVSS Base score: 4.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/191290 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

For earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

The recommended solution is to apply the fix reported below as soon as practical.

In response to vulnerability IBM release Cloud Pak System v2.3.3.6 on Intel

For IBM Cloud Pak System v2.3.0.1, v2.3.1.0, v2.3.3.0, v2.3.3.1, v2.3.3.2, v2.3.3.3, v2.3.3.3 Interim Fix1, v2.3.3.4, v2.3.3.5,

Upgrade to Cloud Pak System v2.3.3.6 available at FixCentral.

Information on upgrading at : <http://www.ibm.com/support/docview.wss?uid=ibm10887959&gt;

Workarounds and Mitigations

None