CVE-2021-39090 - IBM Cloud Pak for Security Sensitive Information Exposure, HTTP Strict Transport Security Vulnerability

IBM Cloud Pak for Security (CP4S) is a comprehensive security solution that helps organizations to detect, investigate, and respond to advanced threats across their hybrid, multicloud environments. IBM has recently discovered a security vulnerability (CVE-2021-39090) affecting versions 1.10.. through 1.10.6. of IBM Cloud Pak for Security. This security vulnerability could allow a remote attacker to obtain sensitive information by exploiting the failure to properly enable HTTP Strict Transport Security within the application.

Vulnerability Details

IBM X-Force ID: 216388
CVE ID: CVE-2021-39090
Impact: Remote attackers can obtain sensitive information
Affected Versions: IBM Cloud Pak for Security (CP4S) 1.10.. through 1.10.6.
Solution: Update to IBM Cloud Pak for Security version 1.10.7. or later

An attacker could exploit this vulnerability by using "man-in-the-middle" techniques, which will allow them to intercept communications between users and the CP4S application. The lack of proper HTTP Strict Transport Security enforcement in the affected CP4S versions allows this vulnerability to be exploited.

HTTP Strict Transport Security (HSTS) is a web security policy that helps to protect websites against protocol downgrade attacks and cookie hijacking on client systems.

Exploitation Scenario

Assume there is a typical website request-response process between a user's browser and the CP4S application, which is vulnerable (version 1.10.6. or lower). An attacker could take the following steps to exploit the vulnerability:

1. Use a man-in-the-middle attack technique by intercepting the communication between the user/browser and the CP4S application.
2. Exploit the lack of HSTS enforcement in the application by downgrading the secure HTTPS communication to a non-secure HTTP communication.

Code Snippet

Here is a code snippet to demonstrate how HSTS can be enabled in a web server configuration (.htaccess file):

# Enable HTTP Strict Transport Security (HSTS)
<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
</IfModule>

This can also be enabled in other web application server configurations (e.g., Nginx, Apache).

Recommendations

IBM has released an update to fix this vulnerability, and users are advised to apply the fix as soon as possible. Here are the recommendations:

Properly enable HTTP Strict Transport Security (HSTS) in your web server configuration.

3. Verify your SSL/TLS configurations to ensure the best security practices are followed.

Original References

IBM Security Bulletin: IBM Cloud Pak for Security Sensitive Information Exposure

CVE Reference: CVE-2021-39090 on NVD

IBM X-Force ID: 216388 - IBM Cloud Pak for Security Sensitive Information Exposure

Timeline

Published on: 02/29/2024 03:15:00 UTC
Last modified on: 02/29/2024 13:49:00 UTC