Rewterz Threat Advisory – Multiple IBM Security Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2021-38980 

IBM Tivoli Key Lifecycle Manager (IBM Security Guardium Key Lifecycle Manager) 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.

CVE-2021-38891 

IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.

CVE-2021-38890 

IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

CVE-2021-38875 

IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerable to a denial of service attack caused by an error processing messages.

Impact

• Information Disclosure
• Denial of Service

Affected Vendors

IBM

Affected Products

• IBM Security Key Lifecycle Manager 3.0
• IBM Security Key Lifecycle Manager 3.0.1
• IBM Security Key Lifecycle Manager 4.0
• IBM Security Key Lifecycle Manager 3.0.0.4
• IBM Security Key Lifecycle Manager 3.0.1.5
• IBM Security Key Lifecycle Manager 4.0.0.3
• IBM Security Key Lifecycle Manager 4.1.0.1
• IBM Security Key Lifecycle Manager 4.1.1
• IBM Security Key Lifecycle Manager 4.1.0
• IBM Connect:Direct Web Services 6.0
• IBM Connect:Direct Web Services 1.0
• IBM MQ 8.0.0
• IBM MQ 9.0.0
• IBM MQ 9.1.0
• IBM MQ 9.2.0

Remediation

For CVEs Mentioned above, refer to IBM security advisory for patch, upgrade, or suggested workaround information.

CVE-2021-38980 

CVE-2021-38891 

CVE-2021-38890 

CVE-2021-38875