CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
19.0%
IBM OpenPages with Watson is affected by unauthorized account access due to Native authentication method. This vulnerability is addressed.
CVEID:CVE-2023-38738
**DESCRIPTION:**IBM OpenPages could provide weaker than expected security in a OpenPages environment using Native authentication. If OpenPages is using Native authentication an attacker with access to the OpenPages database could through a series of specially crafted steps could exploit this weakness and gain unauthorized access to other OpenPages accounts.
CVSS Base score: 6.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/262594 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
IBM OpenPages with Watson | 9.0 |
IBM OpenPages with Watson | IBM OpenPages with Watson 8.3 |
In versions of IBM OpenPages until 8.3.0.2.7 and 9.0.0.1, a symmetric key encryption algorithm was used to encrypt OpenPages user passwords used in Native authentication. Starting from 8.3.0.2.7 and 9.0.0.1 you may update the password encryption to use a one-way hashing algorithm (PBKDF2) to prevent certain malicious attacks.
A fix has been created for each affected version of the named product. Download and install the fix as soon as possible. Fixes and installation instructions are provided at the URLs listed below:
Product
|
Remediation
—|—
For IBM OpenPages with Watson 8.3
- Apply 8.3 FixPack 2 **(8.3.0.2)**then,
- Apply 8.3 Interim Fix 1 (8.3.0.2.7) or later
- Execute the Update Password Encryption Algorithm to change to one-way hashing algorithm using PBKDF2
|
Download URL for 8.3.0.2
https://www.ibm.com/support/pages/openpages-watson-83-fix-pack-2
Download URL for 8.3.0.2.7
<https://www.ibm.com/support/pages/openpages-watson-8302-interim-fix-7>
For IBM OpenPages 9.0
- Apply 9.0 FixPack 1**(9.0.0.1)**then,
- Execute the Update Password Encryption Algorithm to change to one-way hashing algorithm using PBKDF2
|
Download URL for 9.0.0.1
<https://www.ibm.com/support/pages/ibm-openpages-90-fix-pack-1>
Documentation URL for Updating the password encryption algorithm
For IBM OpenPages v8.0/8.1/8.2 customers, IBM recommends to upgrade to a fixed and supported versions 8.3 or9.0 of the product.
Configuring OpenPages to use either LDAP authentication or one of the Single Sign-On (SSO) authentication methods will mean that the actual user passwords are not persisted in IBM OpenPages database tables. With either LDAP or SSO authentication mechanisms the third party identity provider or LDAP server is the system of authority and users’ credentials do not need to be stored in OpenPages.
Configuring Single Sign-On Documentation
Configuring LDAP User Authentication Documenation
<https://www.ibm.com/docs/en/openpages/9.0.0?topic=security-ldap-user-authentication>
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | openpages_with_watson | 8.3 | cpe:2.3:a:ibm:openpages_with_watson:8.3:*:*:*:*:*:*:* |
ibm | openpages_with_watson | 9.0 | cpe:2.3:a:ibm:openpages_with_watson:9.0:*:*:*:*:*:*:* |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
19.0%