CVE-2024-40684

Vulnerability

IBM Operations Analytics - Log Analysis (versions 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, and 1.3.8.4) does not require strong passwords by default. This weakness resides in the Backend Authentication and Session Management module used in the login mechanism [1]. The product does not enforce complexity or length requirements, and lacks sufficient account lockout controls to prevent brute-force attacks [1].

Exploitation

An attacker with network access to the Log Analysis login interface can attempt to guess or brute-force user passwords without facing strong password constraints or account lockout thresholds. No authentication is required to begin the attack, though the high attack complexity (indicated by the CVSS vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) suggests that successful exploitation may require a large number of attempts or specific knowledge about user accounts [1]. The attacker does not need any prior user interaction or privileges.

Impact

A successful password compromise allows the attacker to gain unauthorized access to a legitimate user account. Depending on the compromised account's privileges, the attacker could then access sensitive log data or other information stored within IBM Operations Analytics - Log Analysis, leading to a high confidentiality impact with no impact on integrity or availability [1].

Mitigation

IBM recommends implementing an LDAP user registry in place of the built-in database-managed custom user registry to enforce strong password policies and account lockout controls. Customers using version 1.3.7 or 1.3.8 can refer to the configuration guides for LDAP authentication [1]. No software patch is currently listed by IBM for this CVE, and no KEV listing is known as of the publication date.