IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator and IBM Security Verify Directory Integrator products.
The vulnerabilities, identified through the Common Vulnerabilities and Exposures (CVE) system, expose users to various risks, including sensitive data disclosure and potential cookie theft.
The company urges customers to update to the latest versions of the software to mitigate these risks.
Details of Vulnerabilities
CVE-2024-28771 and CVE-2024-28770 are vulnerabilities in IBM Security Directory Integrator caused by the failure to set the secure attribute on authorization tokens or session cookies, allowing attackers to intercept cookie values via non-secure HTTP links, with a CVSS base score of 4.8.
CVE-2024-28766, while less severe with a CVSS base score of 2.4, involves unauthorized disclosure of sensitive directory information, potentially aiding attackers in planning further exploits.
Impacted Products and Versions
The vulnerabilities impact the following products and their respective versions:
- IBM Security Directory Integrator version 7.2.0
- IBM Security Verify Directory Integrator version 10.0.0
IBM has released fixes to address these vulnerabilities. For IBM Security Directory Integrator 7.2.0, users must apply the fix pack version 7.2.0-ISS-SDI-FP0013, while IBM Security Verify Directory Integrator users are advised to upgrade to version 10.0.0.2 of the product.
Containerized versions of IBM Security Verify Directory Integrator 10.0.0 have been updated, and the relevant container images are made available through IBM’s official documentation portal.
IBM strongly recommends that customers update their software to the latest versions without delay.
The company has not provided any workarounds or mitigations, emphasizing the importance of applying the patches.
Are you from SOC/DFIR Teams? –Â Analyse Malware Files & Links with ANY.RUN Sandox ->Â Try for Free
