CVE-2019-4117

Vulnerability

IBM Cloud Private Identity and Access Management (IAM) is vulnerable to cross-site request forgery (CSRF). The vulnerability affects IBM Cloud Private versions 2.1.x, 3.1.0, 3.1.1, and 3.1.2. It allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts [1]. The CVSS vector is (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) with a base score of 4.3 [1].

Exploitation

To exploit this vulnerability, an attacker must trick an authenticated user into clicking a crafted link or visiting a malicious page. The attack is network-accessible and requires no prior authentication (PR:N), but relies on user interaction (UI:R) — the user must perform an action such as clicking a link while authenticated to the IBM Cloud Private web interface [1]. The attacker can then issue unauthorized requests using the victim's session.

Impact

Successful exploitation allows the attacker to perform unauthorized actions within the context of the victim's session, such as modifying IAM settings or executing administrative functions. The impact is limited to integrity (I:L) as the attacker can change data or settings, but confidentiality and availability are not directly affected [1]. No escalation of privilege is achieved beyond the victim's existing permissions.

Mitigation

IBM has released patches for the two most recent Continuous Delivery (CD) update packages: for IBM Cloud Private 3.1.2, apply the auth-idp patch; for IBM Cloud Private 3.1.1, apply the auth-idp patch as well. For older affected versions (2.1.x and 3.1.0), IBM recommends upgrading to the latest CD update package, IBM Cloud Private 3.2. If individual fixes are needed between CD packages, contact IBM support [1]. As of the publication date (2019-08-20), these fixes are available.