CVE-2021-39027

Vulnerability

IBM Guardium Data Encryption (GDE) versions 4.0.0 and 5.0.0, including the CipherTrust Tokenization Server (CT-VL) component version 2.6.4.21, contain a missing data encoding vulnerability [1]. The software prepares a structured message for communication with another component but either omits or incorrectly implements encoding or escaping. This causes the intended message structure to not be preserved [1].

Exploitation

Exploitation requires a low-privileged authenticated attacker with network access to the affected component [1]. The attacker must trick a user into interacting with a crafted message (user interaction is required) [1]. The CVSS vector indicates the attack complexity is high (AC:H), meaning specific conditions or a race window may be needed to trigger the encoding flaw [1].

Impact

Successful exploitation results in a low integrity impact (CVSS integrity metric: Low) [1]. The scope is changed (S:C), meaning the compromised component can affect resources beyond its original authorization boundary [1]. No confidentiality or availability impact is reported [1].

Mitigation

The vendor recommends promptly updating to the latest version of IBM Guardium Data Encryption [1]. The fix is available through the Thales customer portal; a login is required to access the download [1]. No workarounds or mitigations are provided by the vendor [1].