CVE-2019-4698

Vulnerability

IBM Guardium Data Encryption (GDE) version 3.0.0.2 does not enforce strong password requirements for user accounts by default [1]. This means the product allows weak or easily guessable passwords, contrary to security best practices. The affected version is GDE 3.0.0.2; the issue is addressed in GDE 4.0.0.0 [1].

Exploitation

An attacker can exploit this weakness without authenticated access to the system, as the vulnerability is inherent in the default password policy rather than requiring a specific attack vector [1]. The attacker would need to gain knowledge of a user account (e.g., through enumeration, social engineering, or other means) and then attempt to authenticate using common passwords or brute-force methods. Because the default policy does not enforce complexity, guessing or cracking weak passwords becomes more feasible [1].

Impact

Successful exploitation allows the attacker to compromise user accounts, potentially gaining unauthorized access to the GDE system [1]. Based on the CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N), the impact is primarily high confidentiality loss, with a scope change indicating that the compromised account may allow access to resources beyond the vulnerable component [1]. The attacker does not gain integrity or availability impact directly from this finding, but the compromised credentials could be leveraged in further attacks.

Mitigation

The vulnerability is fixed in IBM Guardium Data Encryption (GDE) version 4.0.0.0 [1]. Organizations running GDE 3.0.0.2 should upgrade to the latest release as soon as possible. There is no workaround documented in the references; the only remediation is to apply the update. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.