Severity
Medium
Analysis Summary
CVE-2021-38980
IBM Tivoli Key Lifecycle Manager (IBM Security Guardium Key Lifecycle Manager) 3.0, 3.0.1, 4.0, and 4.1 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the system.
CVE-2021-38891
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVE-2021-38890
IBM Sterling Connect:Direct Web Services 1.0 and 6.0 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.
CVE-2021-38875
IBM MQ 8.0, 9.0 LTS, 9.1 LTS, 9.2 LTS, 9.1 CD, and 9.2 CD is vulnerable to a denial of service attack caused by an error processing messages.
Impact
- Information Disclosure
- Denial of Service
Affected Vendors
IBM
Affected Products
- IBM Security Key Lifecycle Manager 3.0
- IBM Security Key Lifecycle Manager 3.0.1
- IBM Security Key Lifecycle Manager 4.0
- IBM Security Key Lifecycle Manager 3.0.0.4
- IBM Security Key Lifecycle Manager 3.0.1.5
- IBM Security Key Lifecycle Manager 4.0.0.3
- IBM Security Key Lifecycle Manager 4.1.0.1
- IBM Security Key Lifecycle Manager 4.1.1
- IBM Security Key Lifecycle Manager 4.1.0
- IBM Connect:Direct Web Services 6.0
- IBM Connect:Direct Web Services 1.0
- IBM MQ 8.0.0
- IBM MQ 9.0.0
- IBM MQ 9.1.0
- IBM MQ 9.2.0
Remediation
For CVEs Mentioned above, refer to IBM security advisory for patch, upgrade, or suggested workaround information.
CVE-2021-38980
CVE-2021-38891
CVE-2021-38890
CVE-2021-38875