Security Bulletin: IBM OpenPages Is Vulnerable to Privilege Escalation attack (CVE-2023-38738)

Summary

IBM OpenPages with Watson is affected by unauthorized account access due to Native authentication method. This vulnerability is addressed.

Vulnerability Details

CVEID:CVE-2023-38738
**DESCRIPTION:**IBM OpenPages could provide weaker than expected security in a OpenPages environment using Native authentication. If OpenPages is using Native authentication an attacker with access to the OpenPages database could through a series of specially crafted steps could exploit this weakness and gain unauthorized access to other OpenPages accounts.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262594 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

In versions of IBM OpenPages until 8.3.0.2.7 and 9.0.0.1, a symmetric key encryption algorithm was used to encrypt OpenPages user passwords used in Native authentication. Starting from 8.3.0.2.7 and 9.0.0.1 you may update the password encryption to use a one-way hashing algorithm (PBKDF2) to prevent certain malicious attacks.

A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:

Product

|

Remediation

—|—

For IBM OpenPages with Watson 8.3

- Apply 8.3 FixPack 2 **(8.3.0.2)**then,

- Apply 8.3 Interim Fix 1 (8.3.0.2.7) or later

- Execute the Update Password Encryption Algorithm to change to one-way hashing algorithm using PBKDF2

|

Download URL for 8.3.0.2

https://www.ibm.com/support/pages/openpages-watson-83-fix-pack-2

Download URL for 8.3.0.2.7

<https://www.ibm.com/support/pages/openpages-watson-8302-interim-fix-7&gt;

For IBM OpenPages 9.0

- Apply 9.0 FixPack 1**(9.0.0.1)**then,

- Execute the Update Password Encryption Algorithm to change to one-way hashing algorithm using PBKDF2

|

Download URL for 9.0.0.1

<https://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-1&gt;

Documentation URL for Updating the password encryption algorithm

<https://www.ibm.com/docs/en/openpages/9.0.0?topic=parameters-changing-password-encryption-algorithm-pbkdf2-encryption&gt;

For IBM OpenPages v8.0/8.1/8.2 customers, IBM recommends to upgrade to a fixed and supported versions 8.3 or9.0 of the product.

Workarounds and Mitigations

Configuring OpenPages to use either LDAP authentication or one of the Single Sign-On (SSO) authentication methods will mean that the actual user passwords are not persisted in IBM OpenPages database tables. With either LDAP or SSO authentication mechanisms the third party identity provider or LDAP server is the system of authority and users’ credentials do not need to be stored in OpenPages.

Configuring Single Sign-On Documentation

<https://www.ibm.com/docs/en/openpages/9.0.0?topic=only-single-sign-integration-openpages-application-server&gt;

Configuring LDAP User Authentication Documenation

<https://www.ibm.com/docs/en/openpages/9.0.0?topic=security-ldap-user-authentication&gt;