IBM customers running IBM Data Risk Manager version 2.0.1 and greater are advised to upgrade to the latest version of the product. IBM has provided a fix for a number of reported issues. See the Security Bulletin referenced below for details.
Multiple vulnerabilities were reported to exist within the IBM Data Risk Manager (IDRM) product versions 2.0.1 and greater. IBM has provided a fix for the issues. See the Security Bulletin referenced below for details on obtaining the fix.
The following vulnerabilities were previously identified and are addressed in the current product version.
1) Command Injection Vulnerability in version 2.0.1, 2.0.2 and 2.0.3 is addressed in version 2.0.4
2) Arbitrary File Download identified in version 2.0.2 and 2.0.3 is addressed in version 2.0.4
Version 2.0.1 and greater were reported to contain a default userid and password. This is a known configuration and is recommended to be reset upon initial installation following the published installation guidance. The related support documentation is available at https://www.ibm.com/support/knowledgecenter/en/SSJQ6V_2.0.6/com.ibm.idrm.doc/install/tsk/tsk_installguide_idrm_configuration.html .
An authentication bypass vulnerability was also reported to exist in product versions 2.0.1 and greater.
IBM has provided a fix for the default password and authentication bypass. Please see the Security Bulletin referenced below for more information.
Resolving The Problem
To remediate the reported vulnerabilities, IBM recommends that customers upgrade to the most current IDRM version 2.0.6. This Security Bulletin provides details: https://www.ibm.com/support/pages/node/6206875
27 May 2020