IBM Support

IBM Data Risk Manager Vulnerabilities

Troubleshooting


Problem

IBM customers running IBM Data Risk Manager version 2.0.1 and greater are advised to upgrade to the latest version of the product.  IBM has provided a fix for a number of reported issues. See the Security Bulletin referenced below for details.

Symptom

Multiple vulnerabilities were reported to exist within the IBM Data Risk Manager (IDRM) product versions 2.0.1 and greater.  IBM has provided a fix for the issues.  See the Security Bulletin referenced below for details on obtaining the fix.

The following vulnerabilities were previously identified and are addressed in the current product version.


1) Command Injection Vulnerability in version 2.0.1, 2.0.2 and 2.0.3 is addressed in version 2.0.4

2) Arbitrary File Download identified in version 2.0.2 and 2.0.3 is addressed in version 2.0.4


Version 2.0.1 and greater were reported to contain a default userid and password.  This is a known configuration and is recommended to be reset upon initial installation following the published installation guidance.  The related support documentation is available at https://www.ibm.com/support/knowledgecenter/en/SSJQ6V_2.0.6/com.ibm.idrm.doc/install/tsk/tsk_installguide_idrm_configuration.html .

An authentication bypass vulnerability was also reported to exist in product versions 2.0.1 and greater.  

IBM has provided a fix for the default password and authentication bypass. Please see the Security Bulletin referenced below for more information.

Resolving The Problem

To remediate the reported vulnerabilities, IBM recommends that customers upgrade to the most current IDRM version 2.0.6.  This Security Bulletin provides details: https://www.ibm.com/support/pages/node/6206875

Document Location

Worldwide

[{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSJQ6V","label":"IBM Data Risk Manager"},"ARM Category":[{"code":"a8m500000008YOFAA2","label":"Data Risk Manager"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.0.x","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
27 May 2020

UID

ibm16195705