IBM978324BC02C6EFE97B2C7B27C17D719DE712224433BE4852111527E1697A2155Security Bulletin: IBM Cloud Private ingress log files contain sensitive information (CVE-2019-4284)
0.0004 Low
EPSS
Percentile
5.1%
Summary
IBM Cloud Private ingress log files contain sensitive information
Vulnerability Details
CVEID: CVE-2019-4284 DESCRIPTION: IBM Cloud Private could allow a local privileged user to obtain sensitive OIDC token that is printed to log files, which could be used to log in to the system as another user.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160512> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
IBM Cloud Private 2.1.x, 3.1.0, 3.1.1, 3.1.2
Remediation/Fixes
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
- IBM Cloud Private 3.1.2
- IBM Cloud Private 3.1.1
For IBM Cloud Private 3.1.2, apply patch:
For IBM Cloud Private 3.1.1, apply patch:
For IBM Cloud Private 3.1.0, apply patch:
For IBM Cloud Private, 2.1.x:
- Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.0.
- If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm cloud private | eq | 2.1. | |
| ibm cloud private | eq | 3.1.0 | |
| ibm cloud private | eq | 3.1.1 | |
| ibm cloud private | eq | 3.1.2 |
Related
0.0004 Low
EPSS
Percentile
5.1%