CVE-2019-4713

Vulnerability

IBM Guardium Data Encryption (GDE) version 3.0.0.2 contains a command injection vulnerability that allows a remote authenticated attacker to execute arbitrary commands on the system. The flaw resides in the handling of specially-crafted requests, which are not properly sanitized before being passed to system commands. No special configuration is required for the vulnerable code path to be reachable; any authenticated user can trigger it [1].

Exploitation

An attacker must have valid credentials to authenticate to the GDE management interface. With network access to the affected system, the attacker sends a specially-crafted request that includes malicious input. The request is processed by the vulnerable component, leading to command execution. No user interaction beyond the attacker's own actions is required [1].

Impact

Successful exploitation grants the attacker arbitrary command execution on the underlying operating system with the privileges of the GDE service. This results in full compromise of confidentiality, integrity, and availability (CVSS 8.8, vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The attacker can read sensitive data, modify system files, install malware, or disrupt operations [1].

Mitigation

IBM has fixed this vulnerability in GDE version 4.0.0.0. Users should upgrade to the latest release as soon as possible. No workarounds are documented. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].