CVE-2021-38869

Q: What is the severity of CVE-2021-38869?

CVE-2021-38869 has a CVSS score of 9.8 (CRITICAL). IBM QRadar SIEM fails to automatically log users out after exceeding idle timeout in certain situations, allowing unauthorized session persistence. This affects IBM QRadar SIEM versions 7.3, 7.4, and 7.5 when specific conditions are met.

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

IBM QRadar SIEM fails to automatically log users out after exceeding idle timeout in certain situations, allowing unauthorized session persistence. This affects IBM QRadar SIEM versions 7.3, 7.4, and 7.5 when specific conditions are met.

💻 Affected Systems

Products:

IBM QRadar SIEM

Versions: 7.3, 7.4, 7.5

Operating Systems: Linux (QRadar appliance OS)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability occurs 'in some situations' - specific conditions not detailed in public advisories.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could gain unauthorized access to an authenticated QRadar session, potentially accessing sensitive security data, modifying configurations, or performing administrative actions.

🟠

Likely Case

Unauthorized users could access abandoned sessions to view security alerts, logs, and system information they shouldn't have access to.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to unauthorized viewing of security data within the QRadar console.

🌐 Internet-Facing: HIGH - If QRadar is exposed to the internet, attackers could potentially access abandoned sessions from anywhere.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit abandoned sessions within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Requires access to an active session that should have timed out.

Exploitation requires access to an existing session that hasn't been properly terminated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply security patch from IBM - specific version depends on your QRadar version

Vendor Advisory: https://www.ibm.com/support/pages/node/6574787

Restart Required: Yes

Instructions:

1. Log into IBM Support Portal. 2. Download appropriate security patch for your QRadar version. 3. Apply patch following IBM's QRadar patching procedures. 4. Restart QRadar services as required.

🔧 Temporary Workarounds

Manual Session Management

all

Enforce manual logout procedures and monitor active sessions

Reduce Idle Timeout

all

Configure shorter idle timeout periods in QRadar settings

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach QRadar console
Enforce mandatory manual logout procedures and session monitoring

🔍 How to Verify

Check if Vulnerable:

Check QRadar version via Admin tab > System and License Management > About

Check Version:

ssh to QRadar console and run: /opt/qradar/bin/about.pl

Verify Fix Applied:

Verify patch installation in same location and test session timeout behavior

📡 Detection & Monitoring

Log Indicators:

Unusual session duration patterns
Multiple concurrent sessions from same user
Session activity after extended idle periods

Network Indicators:

Repeated authentication attempts to existing sessions
Unusual traffic patterns to QRadar console

SIEM Query:

source="QRadar" AND (event_name="User Session" OR event_name="Authentication") AND session_duration>timeout_threshold

📊 Metadata

CVE ID: CVE-2021-38869

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-384

Published: April 27, 2022

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/208341 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6574787 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/208341 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6574787 Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

Qradar Security Information And Event Manager by Ibm

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Manual Session Management

Reduce Idle Timeout

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities