IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator and IBM Security Verify Directory Integrator products.
The vulnerabilities, identified through the Common Vulnerabilities and Exposures (CVE) system, expose users to various risks, including sensitive data disclosure and potential cookie theft.
The company urges customers to update to the latest versions of the software to mitigate these risks.
CVE-2024-28771 and CVE-2024-28770 are vulnerabilities in IBM Security Directory Integrator caused by the failure to set the secure attribute on authorization tokens or session cookies, allowing attackers to intercept cookie values via non-secure HTTP links, with a CVSS base score of 4.8.
CVE-2024-28766, while less severe with a CVSS base score of 2.4, involves unauthorized disclosure of sensitive directory information, potentially aiding attackers in planning further exploits.
The vulnerabilities impact the following products and their respective versions:
IBM has released fixes to address these vulnerabilities. For IBM Security Directory Integrator 7.2.0, users must apply the fix pack version 7.2.0-ISS-SDI-FP0013, while IBM Security Verify Directory Integrator users are advised to upgrade to version 10.0.0.2 of the product.
Containerized versions of IBM Security Verify Directory Integrator 10.0.0 have been updated, and the relevant container images are made available through IBM’s official documentation portal.
IBM strongly recommends that customers update their software to the latest versions without delay.
The company has not provided any workarounds or mitigations, emphasizing the importance of applying the patches.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Landmark Admin, LLC (“Landmark”), a Texas-based third-party administrator for life insurance carriers, has confirmed that…
SquareX researchers Jeswin Mathai and Audrey Adeline will be disclosing a new class of data exfiltration techniques at BSides San…
Mozilla has released Firefox 137.0.2, addressing a high-severity security flaw that could potentially allow attackers…
The Tails Project has urgently released Tails 6.14.2, addressing critical security vulnerabilities in the Linux kernel…
Check Point Research (CPR) has uncovered a new targeted phishing campaign employing GRAPELOADER, a sophisticated…
A sophisticated cyber espionage campaign leveraging the newly identified BRICKSTORM malware variants has targeted European…
