Security Bulletin: IBM Guardium Data Encryption (GDE) has an information exposure vulnerability (CVE-2021-39025)

2022-03-1109:57:44

www.ibm.com

0.001 Low

EPSS

Percentile

25.0%

JSON

Summary

An information Exposure was addressed in IBM Guardium Data Encryption (GDE). Please apply the latest version for the fixes.

Vulnerability Details

CVEID:CVE-2021-39025
**DESCRIPTION:**IBM Guardium Data Encryption (GDE) could disclose internal IP address information when the web backend is down.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/213863 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Please apply the fix from below links, to obtain the fixes.
Note: In order to get the fix, customer needs to login to Thales portal.

Component Name	Fixed in version	Patch/Upgrade link
Guardium Cloud Key Manager (GCKM)	1.10.2	https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=3f16cf99dbc20110f0e3220805961916&sysparm_article=KB0025602
CipherTrust Tokenization Server (CT-VL)	2.6.4	https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=914ee8991b990110f9dca6886e4bcb80&sysparm_article=KB0025456
Guardium Data Encryption Server (DSM)	4.0.0.8

https://supportportal.thalesgroup.com/csm?id=kb_article_view&sys_kb_id=4f1986971b0e4510b840c84b1d4bcbc4&sysparm_article=KB0025645

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm security guardium data encryptioneq4.0.0.
ibm security guardium data encryptioneq5.0.0.

CPE	Name	Operator	Version
	ibm security guardium data encryption	eq	4.0.0.
	ibm security guardium data encryption	eq	5.0.0.

0.001 Low

EPSS

Percentile

25.0%

JSON

Related for AF2929451BC739D7CD8141B7D5D183594A82D4C5A970E0387EBF52EEA39DA0B6