CVE-2019-4314

Vulnerability

IBM Security Guardium Big Data Intelligence (SonarG) version 4.0 stores sensitive information in cleartext within a resource that might be accessible to another control sphere [1]. The vulnerability exists in the SonarG component of the product, and no configuration changes are required to reach the affected code path.

Exploitation

An attacker with network access to the vulnerable resource could retrieve the cleartext sensitive data. The attack vector is network-based, and the attack complexity is high, as per the CVSS vector (AV:N/AC:H) [1]. No authentication or user interaction is required, and the attacker does not need any special privileges beyond network access [1].

Impact

Successful exploitation results in the disclosure of sensitive information, impacting confidentiality (C:H) [1]. The attacker gains access to cleartext sensitive data, which could include credentials, configuration details, or other confidential information stored in the accessible resource. No integrity or availability impact is reported.

Mitigation

IBM has addressed this vulnerability in a security update. Affected customers should apply the fix from IBM Support as per the remediation instructions in the security bulletin [1]. No workarounds or mitigations are available; IBM recommends applying the patch directly [1].