CVE-2021-20360 – IBM Cloud Pak for Applications 4.3 uses weak cr... (How to Fix)

Q: What is the severity of CVE-2021-20360?

CVE-2021-20360 has a CVSS score of 7.5 (HIGH). IBM Cloud Pak for Applications 4.3 uses weak cryptographic algorithms that could allow attackers to decrypt sensitive information. This affects organizations running vulnerable versions of IBM Cloud Pak for Applications, potentially exposing encrypted data.

📋 TL;DR

IBM Cloud Pak for Applications 4.3 uses weak cryptographic algorithms that could allow attackers to decrypt sensitive information. This affects organizations running vulnerable versions of IBM Cloud Pak for Applications, potentially exposing encrypted data.

💻 Affected Systems

Products:

IBM Cloud Pak for Applications

Versions: 4.3

Operating Systems: All platforms running IBM Cloud Pak for Applications

Default Config Vulnerable: ⚠️ Yes

Notes: Affects default cryptographic configuration in IBM Cloud Pak for Applications 4.3

📦 What is this software?

Cloud Pak For Applications by Ibm

View all CVEs affecting Cloud Pak For Applications →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers decrypt highly sensitive information including credentials, configuration data, and application secrets, leading to complete system compromise.

🟠

Likely Case

Attackers decrypt stored sensitive data, gaining unauthorized access to application information and potentially escalating privileges.

🟢

If Mitigated

With proper encryption controls and network segmentation, impact is limited to specific encrypted data sets rather than full system compromise.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to encrypted data and knowledge of weak cryptographic implementation

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fix from IBM Security Bulletin

Vendor Advisory: https://www.ibm.com/support/pages/node/6471271

Restart Required: Yes

Instructions:

1. Review IBM Security Bulletin. 2. Apply recommended fix or upgrade. 3. Restart affected services. 4. Verify cryptographic algorithms are updated.

🔧 Temporary Workarounds

Update Cryptographic Configuration

all

Manually configure stronger cryptographic algorithms in IBM Cloud Pak for Applications

Refer to IBM documentation for cryptographic configuration updates

🧯 If You Can't Patch

Implement network segmentation to isolate vulnerable systems
Monitor for unusual decryption activities and access patterns

🔍 How to Verify

Check if Vulnerable:

Check IBM Cloud Pak for Applications version and review cryptographic configuration settings

Check Version:

oc get pods -n openshift-operators | grep ibm-cp4a-operator

Verify Fix Applied:

Verify updated cryptographic algorithms are in use and check IBM fix application status

📡 Detection & Monitoring

Log Indicators:

Unusual decryption activities
Access to encrypted data stores outside normal patterns

Network Indicators:

Traffic patterns suggesting cryptographic attacks
Unusual data extraction from encrypted stores

SIEM Query:

Search for decryption events or cryptographic algorithm usage in application logs

📊 Metadata

CVE ID: CVE-2021-20360

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-326

Published: July 13, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/195031 VDB Entry
https://www.ibm.com/support/pages/node/6471271 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/195031 VDB Entry
https://www.ibm.com/support/pages/node/6471271 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20360, you might also want to check these: