CVE-2019-4699

Vulnerability

CVE-2019-4699 affects IBM Security Guardium Data Encryption (GDE) version 3.0.0.2. The product generates error messages that inadvertently include sensitive information about its environment, users, or associated data. This information disclosure occurs without requiring any special configuration beyond default settings [1].

Exploitation

An attacker with network access to the GDE system can trigger error conditions that cause the application to output detailed system information. No authentication is required to trigger these errors, and the attacker does not need prior knowledge of the system beyond the network location of the service [1].

Impact

Successful exploitation results in the disclosure of sensitive data, such as internal network configurations, user details, or other operational information. This can aid an attacker in further attacks against the GDE environment or connected systems. The CVSS v3.0 base score is 5.3 (Medium), with the vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N [1].

Mitigation

IBM released a fix as part of GDE version 3.0.0.3 or later. Organizations should upgrade to the latest version available from IBM Fix Central. No workarounds are documented; applying the patch is the recommended course of action [1].