Security Bulletin: IBM Security Information Queue contains hard-coded credentials (CVE-2020-4283)

Summary

IBM Security Information Queue (ISIQ) stores the JSON web token (JWT) secret in plain text in one of its YAML files. As of v1.0.5, ISIQ generates an encrypted JWT secret during product configuration.

Vulnerability Details

CVEID:CVE-2020-4283
**DESCRIPTION:**IBM Security Information Queue (ISIQ) contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176206 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Download and install the latest IBM Security Information Queue images (tagged at 1.0.5 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

None