CVE-2019-4160

Vulnerability

IBM Guardium Data Encryption (GDE) version 3.0.0.2 uses weaker than expected cryptographic algorithms, as described in the official CVE entry and referenced in the IBM security bulletin [1]. This weakness could allow an attacker to decrypt highly sensitive information protected by the product. The affected version is explicitly GDE 3.0.0.2.

Exploitation

An attacker would need network access to the system running the affected GDE version. The weak cryptographic algorithms can be exploited through passive interception of encrypted data or by gaining access to encrypted storage. No authentication is required for the cryptographic weakness itself, though the attacker must be able to obtain the encrypted data in transit or at rest.

Impact

Successful exploitation results in the attacker being able to decrypt highly sensitive information that was intended to be protected by GDE. This leads to a direct compromise of confidentiality (information disclosure) of the encrypted data. The severity of the impact is high, as the product is designed to protect sensitive data.

Mitigation

IBM has not explicitly disclosed a fixed version in the available references [1]. Users should consult the IBM support page for the latest updates and apply any available patches. Until a fix is applied, organizations should review and possibly replace the use of weak cryptographic algorithms within their GDE configuration, if feasible. No KEV listing was found for this CVE.