Medium Severity

Security Bulletin: IBM Verify Gateway PAM components default to cleartext storage of client secret (CVE-2020-4369)

Share this post:

The IBM Verify Gateway (IVG) PAM components allow encryption of the client-secret property in the /etc/pam_ibm_auth.json file, but it’s not the default configuration. Instead, customers must remember to add an –obfuscation command-line flag to encrypt the property. As of v1.0.1 of IVG for AIX PAM, and v1.0.2 of IVG for Linux PAM, the client-secret property is encrypted by default.

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
IBM Verify Gateway (IVG) PAM 1.0.0, 1.0.1

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6251285

More stories

Security Bulletin: IBM Aspera Webapps are vulnerable to cross-site scripting (CVE-2020-11022, CVE-2020-11023).

Sep 17, 2021 8:01 pm EDT | Medium Severity

IBM Aspera Webapps are vulnerable to cross-site scripting. See vulnerability details for more information. ...read more


Security Bulletin: IBM SDK, Java Tech Edition Quarterly CPU – Apr 2021 + Oracle Apr 2021; Jul 2021 + Oracle 2021 CPU

Sep 17, 2021 8:01 pm EDT | Medium Severity

This Security Bulletin provides steps for updating Java for Db2 Query Management Facility QMF Workstation and QMF Vision. ...read more


Security Bulletin: ISC DHCP for IBM i is affected by CVE-2021-25217

Sep 17, 2021 8:01 pm EDT | Medium Severity

ISC DHCP on IBM i is vulnerable to the issue described in the vulnerability details section. IBM i has addressed the vulnerability in the ISC DHCP implementation. ...read more