CVE-2021-20360

Vulnerability

IBM Cloud Pak for Applications version 4.3 uses weaker than expected cryptographic algorithms, resulting in unsecured HTTP communications [1]. This vulnerability affects all versions of IBM Cloud Pak for Applications prior to 4.3.1 [1]. The product fails to enforce strong encryption for network traffic, exposing sensitive data in transit.

Exploitation

An attacker with network access can perform a man-in-the-middle attack to intercept and decrypt HTTP traffic between the application and its components [1]. The attack requires high complexity due to the need for precise network positioning, but no authentication or user interaction is needed (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) [1].

Impact

Successful exploitation allows the attacker to decrypt highly sensitive information transmitted over the network, leading to a high confidentiality impact [1]. Integrity and availability are not affected.

Mitigation

IBM released version 4.3.1 of Cloud Pak for Applications, which no longer exposes unsecured HTTP communications [1]. Users should upgrade to this version. No workarounds are available [1].