CVE-2021-20369

Vulnerability

IBM Cloud Pak for Applications version 4.3 (and possibly earlier versions) uses weaker than expected cryptographic algorithms, as described in the IBM security bulletin [1]. This weakness affects all deployments of the product prior to version 4.3.1. The inadequate encryption may be present in various components handling sensitive data.

Exploitation

An attacker can exploit this vulnerability remotely over the network without requiring authentication or user interaction, though the attack complexity is high (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) [1]. The attacker would need to intercept or manipulate encrypted communications to leverage the weak algorithms and decrypt the data.

Impact

Successful exploitation results in the disclosure of highly sensitive information, with a confidentiality impact rated as HIGH. Integrity and availability are not affected [1]. The attacker gains access to decrypted data that should have been protected by strong encryption.

Mitigation

IBM recommends upgrading to IBM Cloud Pak for Applications v4.3.1, which removes the use of the inadequate encryption algorithm [1]. No workarounds are available. The fix was released on July 12, 2021, as per the security bulletin.