CVE-2021-29755

Q: What is the severity of CVE-2021-29755?

CVE-2021-29755 has a CVSS score of 7.5 (HIGH). IBM QRadar SIEM versions 7.3, 7.4, and 7.5 fail to properly validate SSL/TLS certificates for some inter-host communications. This allows attackers to perform man-in-the-middle attacks and intercept or manipulate sensitive data between QRadar components. Organizations running these specific QRadar versions are affected.

7.5 HIGH

📋 TL;DR

IBM QRadar SIEM versions 7.3, 7.4, and 7.5 fail to properly validate SSL/TLS certificates for some inter-host communications. This allows attackers to perform man-in-the-middle attacks and intercept or manipulate sensitive data between QRadar components. Organizations running these specific QRadar versions are affected.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.3, 7.4, 7.5

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects communications between QRadar components (console, processors, event collectors).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers intercept administrative credentials, sensitive log data, or configuration information, leading to full system compromise and data exfiltration.

🟠

Likely Case

Attackers intercept unencrypted or weakly authenticated communications between QRadar components, potentially gaining access to security event data.

🟢

If Mitigated

With proper network segmentation and certificate validation enabled, impact is limited to potential denial of service or minor data leakage.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires network access to intercept communications between QRadar hosts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply security patch from IBM (see advisory)

Vendor Advisory: https://www.ibm.com/support/pages/node/6605431

Restart Required: Yes

Instructions:

1. Download patch from IBM Fix Central. 2. Backup system. 3. Apply patch following IBM instructions. 4. Restart QRadar services.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate QRadar components in trusted network segments to limit attack surface.

Certificate Validation Enforcement

linux

Configure QRadar to enforce strict certificate validation for all inter-host communications.

🧯 If You Can't Patch

Implement strict network segmentation between QRadar components
Monitor network traffic for unusual certificate validation failures

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin > System & License Management > About. If version is 7.3, 7.4, or 7.5 without latest patches, system is vulnerable.

Check Version:

ssh admin@qradar-host 'cat /opt/qradar/VERSION'

Verify Fix Applied:

Verify patch installation via Admin > System & License Management > Installed Updates. Check for certificate validation improvements in inter-host communications.

📡 Detection & Monitoring

Log Indicators:

Certificate validation failures in QRadar logs
Unexpected certificate changes in communications

Network Indicators:

Unencrypted or improperly authenticated traffic between QRadar hosts
Man-in-the-middle attack patterns

SIEM Query:

source="qradar" AND ("certificate validation" OR "SSL error" OR "TLS error")

📊 Metadata

CVE ID: CVE-2021-29755

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-295

Published: July 20, 2022

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/202015 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6605431 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/202015 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6605431 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Certificate Validation Enforcement

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities