IBM17EBFE0C4F79BE7D0488AACD4A2745F61CA8325BC514BC53F4B3A714CC6C107CSecurity Bulletin: IBM Cloud Private - Session not invalidated on logout (CVE-2019-4439)
EPSS
Percentile
5.1%
Summary
IBM Cloud Private - Session not invalidated on logout (CVE-2019-4439)
Vulnerability Details
CVEID: CVE-2019-4439 DESCRIPTION: IBM Cloud private does not invalidate session after logout which could allow a local user to impersonate another user on the system.
CVSS Base Score: 5.9
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/162949> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Affected Products and Versions
IBM Cloud Private 3.1.0, 3.1.1, 3.1.2
Remediation/Fixes
Product defect fixes and security updates are only available for the two most recent Continuous Delivery (CD) update packages
- IBM Cloud Private 3.1.2
- IBM Cloud Private 3.1.1
For IBM Cloud Private 3.1.2, apply patch:
For IBM Cloud Private 3.1.1, apply patch:
For IBM Cloud Private, 3.1.0:
- Upgrade to the latest Continuous Delivery (CD) update package, IBM Cloud Private 3.2.
- If required, individual product fixes can be made available between CD update packages for resolution of problems. Contact IBM support for assistance
Workarounds and Mitigations
None
Related
