Security Bulletin: IBM Data Replication Management Console Authentication Affected by Annonymous Binding (CVE-2020-4821)

Summary

This bulletin covers a vulnerability found in the Management Console client under which authentication may be by-passed if configured to authenticate against LDAP directories allowing anonymous binding.

Vulnerability Details

CVEID:CVE-2020-4821
**DESCRIPTION:**IBM Cognos Controller, under certain configurations, could allow a user to bypass authentication mechanisms using an empty password string.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189834 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Update to the latest offering fix pack found here:

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%3FInformation%20Management&product=ibm/Information+Management/IBM+InfoSphere+Data+Replication&release=11.4&platform=All&function=all&source=fc

Workarounds and Mitigations

None