CVE-2021-38901

Vulnerability

CVE-2021-38901 affects IBM Spectrum Protect Operations Center version 7.1.0.000 through 7.1.13.xxx [1]. Under special configurations, specifically when tracing is enabled, user credentials may be displayed in the trace file in plain text [1]. This does not affect the software in its default configuration.

Exploitation

An attacker must have local access to the file system where trace files are stored [1]. The attacker does not require authentication to the Operations Center itself, but needs the ability to read local files on the host. Exploitation is only possible if tracing has been previously enabled by an administrator, and the trace files have not been deleted [1]. The attack complexity is high because the attacker must locate and access the trace file among possibly many system files.

Impact

Successful exploitation leads to the disclosure of highly sensitive information, specifically user credentials in plain text [1]. This results in a confidentiality breach with a CVSS base score of 5.1 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) [1]. The impact is limited to confidentiality; integrity and availability are not affected.

Mitigation

IBM has not released a software fix for this issue [1]. The recommended mitigation is to not enable tracing unless explicitly instructed to do so by IBM, and to delete any existing trace files that are no longer needed [1]. Organizations should restrict local file system access to trusted administrators only.