CVE-2021-29750 – IBM QRadar SIEM versions 7.3 and 7.4 use weak c... (How to Fix)

Q: What is the severity of CVE-2021-29750?

CVE-2021-29750 has a CVSS score of 7.5 (HIGH). IBM QRadar SIEM versions 7.3 and 7.4 use weak cryptographic algorithms that could allow attackers to decrypt sensitive information. This affects organizations using these specific QRadar versions for security monitoring and log management.

📋 TL;DR

IBM QRadar SIEM versions 7.3 and 7.4 use weak cryptographic algorithms that could allow attackers to decrypt sensitive information. This affects organizations using these specific QRadar versions for security monitoring and log management.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.3.0 through 7.3.3 and 7.4.0 through 7.4.3

Operating Systems: Linux (RHEL/CentOS)

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments using affected versions are vulnerable regardless of configuration.

📦 What is this software?

Qradar Security Information And Event Manager by Ibm

View all CVEs affecting Qradar Security Information And Event Manager →

Qradar Security Information And Event Manager by Ibm

View all CVEs affecting Qradar Security Information And Event Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers decrypt highly sensitive security data, including credentials, configuration secrets, and log contents, potentially compromising the entire security monitoring infrastructure.

🟠

Likely Case

Attackers with network access decrypt intercepted sensitive data, gaining unauthorized access to security information and potentially pivoting to other systems.

🟢

If Mitigated

With proper network segmentation and access controls, risk is limited to authorized users who could potentially decrypt data they shouldn't access.

🌐 Internet-Facing: MEDIUM - While QRadar typically shouldn't be internet-facing, misconfigurations could expose it, allowing attackers to intercept and decrypt traffic.

🏢 Internal Only: HIGH - Internal attackers or compromised accounts could exploit this to access sensitive security data within the SIEM.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to intercept encrypted traffic and cryptographic analysis capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.3.3 Fix Pack 10 and 7.4.3 Fix Pack 10

Vendor Advisory: https://www.ibm.com/support/pages/node/6488945

Restart Required: Yes

Instructions:

1. Download appropriate fix pack from IBM Fix Central. 2. Backup QRadar configuration. 3. Apply fix pack following IBM documentation. 4. Restart QRadar services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate QRadar management interfaces to trusted networks only

Access Control

all

Restrict administrative access to QRadar to only authorized personnel

🧯 If You Can't Patch

Implement strict network segmentation to limit QRadar traffic to trusted networks only
Monitor for unusual access patterns or cryptographic-related errors in QRadar logs

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin tab > System & License Management > Deployment Status

Check Version:

ssh admin@qradar-host 'cat /opt/qradar/VERSION'

Verify Fix Applied:

Verify version shows 7.3.3 Fix Pack 10 or 7.4.3 Fix Pack 10 after patching

📡 Detection & Monitoring

Log Indicators:

Unusual cryptographic errors
Multiple failed decryption attempts

Network Indicators:

Unusual traffic patterns to/from QRadar management interfaces

SIEM Query:

source="QRadar" AND (event_name="CRYPTO_ERROR" OR description="decryption")

📊 Metadata

CVE ID: CVE-2021-29750

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-327

Published: September 15, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/201778 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6488945 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/201778 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6488945 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29750, you might also want to check these: