CVE-2018-1372

Vulnerability

IBM Security Guardium Big Data Intelligence (SonarG) version 3.1 does not require that users have strong passwords by default [1]. The product ships with a weak password policy, meaning that user accounts can be created or configured without enforcing complexity or length requirements.

Exploitation

An attacker with network access to the SonarG web interface could attempt to compromise user accounts by guessing or brute-forcing weak passwords [1]. The attacker does not need prior authentication; however, successful exploitation requires the attacker to identify a user account that has a weak or default password.

Impact

Successful exploitation allows the attacker to gain unauthorized access to an affected user's account [1]. This could lead to disclosure of sensitive information processed or stored by the SonarG application, as described in the CVSS vector (confidentiality impact is High) [1].

Mitigation

IBM has not published a specific fix or patch version in the available reference [1]. The advisory states "None" under workarounds and mitigations. Users should contact IBM support for the latest remediation guidance. As a general security practice, organizations should enforce a strong password policy manually via configuration settings to mitigate this issue.