CVE-2019-4161

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, and 1.0.2 disclose internal data left over from the product development and Beta phases [1]. This data includes information such as the exact HTTP server level, which is not intended for production environments. The vulnerability is present in the default configuration and does not require any special conditions to be reachable.

Exploitation

An attacker with local network access to an ISIQ instance can retrieve the exposed internal data without authentication [1]. The data is accessible through normal HTTP requests to the service, as the development artifacts were not removed from the production images dropped into Docker Hub.

Impact

Successful exploitation allows an attacker to obtain sensitive information about the system, such as the exact HTTP server level [1]. While much of the data is specific to ISIQ's development environment, the disclosed information can be used to mount further attacks on the system. The CVSS vector indicates a low confidentiality impact (C:L) with no impact on integrity or availability [1].

Mitigation

IBM released ISIQ version 1.0.3 which removes the internal data [1]. Users should upgrade to version 1.0.3 or later from the Docker Hub repository ibmcorp/security_information_queue [1]. No workarounds are documented; upgrading is the recommended action.