CVE-2019-4162

Vulnerability

IBM Security Information Queue (ISIQ) versions 1.0.0, 1.0.1, and 1.0.2 do not include the HTTP Strict Transport Security (HSTS) header. The web server defaults to HTTPS but does not enforce it, allowing users to inadvertently navigate to the unencrypted HTTP version or accept invalid certificates. This vulnerability is documented in IBM X-Force ID 158661 [1].

Exploitation

An attacker with network access (e.g., man-in-the-middle position) can intercept HTTP traffic if the user accesses the unencrypted version of the application. The user may be tricked into clicking an HTTP link or accepting an invalid certificate. According to the CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), no user interaction is required for exploitation, but the attack complexity is high [1].

Impact

Successful exploitation allows the attacker to capture sensitive data transmitted in plaintext, leading to a loss of confidentiality. There is no impact on integrity or availability. The CVSS base score is 5.9 [1].

Mitigation

IBM has released ISIQ version 1.0.3 which enforces HTTPS and adds the HSTS header. Users should upgrade to version 1.0.3 or later from the Docker Hub repository ibmcorp/security_information_queue. No workarounds are available for earlier versions [1].