Security Bulletin: IBM Security Verify Information Queue does not always enable HTTP Strict Transport Security when sending error responses (CVE-2021-20409)

Summary

The web server in IBM Security Verify Information Queue (ISIQ) does not add the HTTP Strict Transport Security header in its internally generated error responses. Consequently, a remote attacker could obtain sensitive information from an insecure HTTP connection. As of v10.0.0, ISIQ is setting the Strict Transport Security header for all responses.

Vulnerability Details

CVEID:CVE-2021-20409
**DESCRIPTION:**IBM Security Verify Information Queue could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/196188 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Remediation/Fixes

Download and install the latest IBM Security Verify Information Queue images (tagged at 10.0.0 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: <https://www.ibm.com/support/pages/ibm-security-information-queue-starter-kit&gt;

Workarounds and Mitigations

None