CVE-2022-38385 The IBM Cloud Pak for Security 1.10.0.0 through 1.10.2.0 could be exploited by an authenticated user to obtain sensitive information or perform unauthorized actions.

This issue was addressed in version 1.10.3.0. There are several ways an attacker could exploit this vulnerability, including: - Generating a new SSH key pair on the system and using the generated public key to log into another system without authentication. - Stealing sensitive data such as credit card numbers, login credentials, or other data that would benefit the attacker. - Using the system for activities that would negatively impact the system owner such as distributed denial of service attacks. - Performing other actions that would be of concern to the system owner such as installing an unauthorized application.

Affected versions: CP4S 1.10.0.0 through 1.10.2.0. The CP4S package consists of the IBM Security Key Lifecycle Manager and IBM Security Server.

CVE ID: CVE-2018-15465. An issue was discovered in IBM Security Security Server and IBM Security Key Lifecycle Manager. The issue is related to the processing of LDAP queries. An attacker could exploit this issue to bypass LDAP authentication and possibly have other malicious actions taken.

CVE ID: CVE-2018-15464. An issue was discovered in IBM Security Security Server and IBM Security Key Lifecycle Manager. The issue is related to the processing of LDAP queries. An attacker could exploit this issue to bypass LDAP authentication and possibly have other malicious actions taken.

CVE ID: CVE-2018-15465. An issue was discovered in IBM

Dependencies and Services

The vulnerability requires at least one of the following - Indirect LDAP Server
- SSL Communication
- CAPI 2.x
- CAPI 3.x
- CVSS 4.1

Settings and Services

Affected by the CVE-2018-15465
The following default settings, services, and other components are affected by this vulnerability:
* All LDAP operations with the plugin.
* Authentication methods that use the plugin. This includes: - LDAP authentication through Active Directory (AD) or OpenLDAP. - Password authentication. - Smart card authentication via LDAP.

Affected Products: IBM Security Key Lifecycle Manager 1.10 through 1.10.2, IBM Security Server 1.10 through 1.10.2

Overview of the IBM Security CP4S package

IBM Security CP4S is a package of two products, the IBM Security Key Lifecycle Manager and IBM Security Server. The two products are used for key lifecycle and identity management.

The CP4S package consists of the IBM Security Key Lifecycle Manager and IBM Security Server. The two products are used for key lifecycle and identity management. This guide will provide you with information about what the security product does, how to manage your keys, and how to set up an environment to use this product.

Timeline

Published on: 11/15/2022 21:15:00 UTC
Last modified on: 11/18/2022 17:37:00 UTC

References

• https://exchange.xforce.ibmcloud.com/vulnerabilities/233777
• https://www.ibm.com/support/pages/node/6833586
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38385