CVE-2019-4284

Vulnerability

IBM Cloud Private versions 2.1.x, 3.1.0, 3.1.1, and 3.1.2 contain a vulnerability where OpenID Connect (OIDC) tokens are written to ingress log files [1]. These tokens could be accessed by a local user with elevated privileges, enabling them to authenticate as another user. The issue arises from improper handling of sensitive information in log output.

Exploitation

An attacker must have local privileged access to the IBM Cloud Private system, typically requiring administrative rights on the host or container running the ingress component [1]. The exploit involves reading the ingress log files to extract OIDC tokens that were inadvertently logged during normal operation. No user interaction is needed beyond the attacker's existing privileges.

Impact

A successful attacker can use the obtained OIDC token to log in to the system as another user, leading to unauthorized access and potential escalation of privileges within the IBM Cloud Private environment [1]. The confidentiality impact is high, but integrity and availability are not directly affected.

Mitigation

IBM has released patches for versions 3.1.1 and 3.1.2 under the icp-management-ingress fix. For version 2.1.x, IBM recommends upgrading to the latest Continuous Delivery (CD) update package version 3.2.0 [1]. No workarounds are available. Users should apply the appropriate patch or upgrade immediately.