CVE-2019-4239

Vulnerability

IBM MQ Advanced Cloud Pak, when deployed on IBM Cloud Private versions 1.0.0 through 3.0.1 or on RedHat OpenShift versions 2.1.0 through 2.3.1, stores user credentials in plain text in container logs [1]. This occurs due to the application printing passwords directly into log output, which can be accessed by any local user on the system.

Exploitation

An attacker with local access to the system where the container logs are stored (or mirrored to an external logging service) can read the logs and extract plaintext credentials [1]. No authentication or user interaction is required, as the logs are generated automatically and accessible to local users.

Impact

Successful exploitation leads to disclosure of sensitive credentials, such as passwords, which can be used to gain unauthorized access to systems or escalate privileges. The confidentiality of user credentials is compromised, with no impact on integrity or availability [1].

Mitigation

As of the publication of the advisory, no fix or workaround has been provided by IBM [1]. Users should monitor for updates from IBM and consider restricting access to container logs as a temporary measure.