Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities (CVE-2021-4238)

Summary

IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security (CP4S).

Vulnerability Details

CVEID:CVE-2021-4238
**DESCRIPTION:**Masterminds GoUtils could allow a remote attacker to obtain sensitive information, caused by an issue with randomly-generated alphanumeric strings contain significantly less entropy than expected. By utilize cryptographic attack techniques, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/243415 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Affected Products and Versions

Remediation/Fixes

IBM encourages customers to update their systems promptly.

Please upgrade to at least CP4S 1.10.7.0 following these instructions: <https://www.ibm.com/docs/en/cloud-paks/cp-security/1.10?topic=installing-upgrading-cloud-pak-security&gt;

Workarounds and Mitigations

None