Medium Severity

Security Bulletin: IBM Verify Gateway does not hide client secrets when debug tracing is active (CVE-2020-4372)

Share this post:

When the IBM Verify Gateway (IVG) components are run with debug tracing, client secrets such as the username, password, and client-id are included in the debug log. As of v1.0.1 of IVG for RADIUS and IVG for AIX PAM, and v1.0.2 of IVG for Linux PAM and IVG for Windows Login, these client secrets are suppressed when debug tracing is active.

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Verify Gateway (IVG) RADIUS 1.0.0
IBM Verify Gateway (IVG) PAM 1.0.0, 1.0.1
IBM Verify Gateway (IVG) WinLogin 1.0.0, 1.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6251289

More stories

Security Bulletin: This Power System update is being released to address CVE 2021-20505

Jul 28, 2021 8:04 pm EDT | Medium Severity

POWER9: In response to a weakness in a set of PowerVM service procedures a new Power System firmware update is being released to address Common Vulnerabilities and Exposures issue number CVE 2021-20505. ...read more


Security Bulletin: HTTP Header Vulnerability Affects IBM Sterling Connect:Direct Browser User Interface (CVE-2021-20560)

Jul 27, 2021 8:26 pm EDT | Medium Severity

There are issue with HTTP header 'X-Frame-Options' not present. IBM Sterling Connect:Direct Browser has addressed the applicable CVEs. ...read more


Security Bulletin: Information disclosure vulnerability in IBM i2 Analyze (CVE-2021-29766)

Jul 27, 2021 8:20 pm EDT | Medium Severity

In certain situations more information than is necessary is communicated via error messages or requests ...read more