CVE-2021-20380 – This vulnerability in IBM QRadar Advisor With W... (How to Fix)

Q: What is the severity of CVE-2021-20380?

CVE-2021-20380 has a CVSS score of 7.5 (HIGH). This vulnerability in IBM QRadar Advisor With Watson App allows remote attackers to obtain sensitive information from HTTP requests. The exposed information could aid in further attacks against the QRadar SIEM system. Affected users are those running IBM QRadar Advisor With Watson App versions 1.1 through 2.5 on IBM QRadar SIEM 7.4.

📋 TL;DR

This vulnerability in IBM QRadar Advisor With Watson App allows remote attackers to obtain sensitive information from HTTP requests. The exposed information could aid in further attacks against the QRadar SIEM system. Affected users are those running IBM QRadar Advisor With Watson App versions 1.1 through 2.5 on IBM QRadar SIEM 7.4.

💻 Affected Systems

Products:

IBM QRadar Advisor With Watson App
IBM QRadar SIEM

Versions: QRadar Advisor With Watson App 1.1 through 2.5 on QRadar SIEM 7.4

Operating Systems: Linux (QRadar appliance OS)

Default Config Vulnerable: ⚠️ Yes

Notes: This affects the default installation of QRadar Advisor With Watson App on QRadar SIEM 7.4. The vulnerability is in the app itself, not the underlying OS.

📦 What is this software?

Qradar Advisor With Watson by Ibm

View all CVEs affecting Qradar Advisor With Watson →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain credentials or sensitive configuration data leading to full system compromise, lateral movement within the network, and data exfiltration.

🟠

Likely Case

Attackers gather information about system configuration, user accounts, or internal network details to plan targeted attacks against the QRadar environment.

🟢

If Mitigated

Information disclosure is limited to non-sensitive data due to proper network segmentation and access controls.

🌐 Internet-Facing: HIGH - If the QRadar interface is exposed to the internet, attackers can remotely exploit this without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to gather reconnaissance data for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows information disclosure without authentication. While no public exploit code is confirmed, the nature of the vulnerability suggests exploitation would be straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: QRadar Advisor With Watson App 2.6 or later

Vendor Advisory: https://www.ibm.com/support/pages/node/6457941

Restart Required: Yes

Instructions:

1. Log into QRadar Console as administrator. 2. Navigate to Admin > Extensions Management. 3. Check for available updates for QRadar Advisor With Watson App. 4. Update to version 2.6 or later. 5. Restart the QRadar services as prompted.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to QRadar console and API endpoints to trusted IP addresses only.

Use firewall rules to limit access: iptables -A INPUT -p tcp --dport 443 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate QRadar from untrusted networks
Deploy web application firewall (WAF) rules to detect and block suspicious HTTP request patterns

🔍 How to Verify

Check if Vulnerable:

Check QRadar Advisor With Watson App version in QRadar Console under Admin > Extensions Management. If version is between 1.1 and 2.5 inclusive, the system is vulnerable.

Check Version:

In QRadar Console: Admin > Extensions Management > View installed extensions

Verify Fix Applied:

Verify the app version shows 2.6 or higher in Extensions Management. Test that HTTP requests no longer leak sensitive information.

📡 Detection & Monitoring

Log Indicators:

Unusual HTTP requests to QRadar Advisor endpoints from unauthorized sources
Multiple failed authentication attempts followed by information disclosure requests

Network Indicators:

Unusual traffic patterns to QRadar API endpoints from unexpected IP addresses
HTTP requests that appear to be probing for information

SIEM Query:

SELECT * FROM events WHERE devicetype IN (SELECT id FROM referencedata WHERE name LIKE '%QRadar%') AND (category LIKE '%web%' OR category LIKE '%http%') AND (username IS NULL OR username='') AND (sourceip NOT IN (trusted_ips))

📊 Metadata

CVE ID: CVE-2021-20380

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Published: June 3, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/195712 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6457941 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/195712 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6457941 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON