IBM has disclosed and released fixes for multiple security vulnerabilities identified in its Security Directory Integrator product.
These vulnerabilities pose potential risks such as unauthorized access to sensitive information and exposure of session cookies, which could be exploited by attackers to compromise system integrity.
The company strongly recommends updating to the latest software versions to mitigate these risks.
Three vulnerabilities have been identified, two of which center around the improper handling of authorization tokens or session cookies.
Both vulnerabilities, tracked as CVE-2024-28771 and CVE-2024-28770, have a CVSS Base Score of 4.8, indicating a medium severity.
IBM Security Directory Integrator fails to enforce the secure flag on cookies, potentially exposing them to attackers.
Using an unsecured HTTP link, an attacker could obtain cookie values by intercepting unencrypted traffic, compromising user sessions.
Additionally, a third vulnerability, CVE-2024-28766, with a lower CVSS Base Score of 2.4, involves the unintended disclosure of sensitive directory information.
Exploiting this vulnerability could provide attackers with information that may assist in further attacks.
IBM acknowledges that this issue primarily arises when attackers have high privileges within the system, limiting its broader impact.
The vulnerabilities collectively highlight potential risks to confidentiality while leaving system integrity and availability largely unaffected.
Affected Systems and Fix Availability
The vulnerabilities impact two specific versions of IBM’s directory integrator products: IBM Security Directory Integrator version 7.2.0 and IBM Security Verify Directory Integrator version 10.0.0.
To address the issues, IBM has released fixes under the following versions:
- IBM Security Directory Integrator 7.2.0: Fixed in version 7.2.0-ISS-SDI-FP0013.
- IBM Security Verify Directory Integrator 10.0.0: Fixed in container image version ibm-svdi-10.0.0.2.
IBM urges all customers using these versions to update promptly to safeguard their environments.
The updated container images and further guidance on applying the patches are available in IBM’s official documentation.
IBM has confirmed that no workarounds or temporary mitigations exist for these vulnerabilities. Users must apply the recommended fixes to address the security flaws.
IBM also encourages users to subscribe to its “My Notifications” service to stay informed about future security bulletins and critical updates.