Security Bulletin: IBM Security Information Queue has insufficient session expiration (CVE-2020-4284)

Summary

IBM Security Information Queue (ISIQ) does not have a mechanism for terminating idle UI sessions. This leaves an unattended ISIQ session vulnerable to being compromised. As of v1.0.6, ISIQ automatically terminates a session that has been idle for 60 minutes. The timeout value is configurable.

Vulnerability Details

CVEID:CVE-2020-4284
**DESCRIPTION:**IBM Security Information Queue (ISIQ) could disclose sensitive information to an unauthorized user due to insufficient timeout functionality in the Web UI.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/176207 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Download and install the latest IBM Security Information Queue images (tagged at 1.0.6 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

Always log out of the ISIQ UI after completing configuration tasks.