CVE-2021-38935 – IBM Maximo Asset Management 7.6.1.2 does not en... (How to Fix)

Q: What is the severity of CVE-2021-38935?

CVE-2021-38935 has a CVSS score of 7.5 (HIGH). IBM Maximo Asset Management 7.6.1.2 does not enforce strong password policies by default, allowing weak passwords that can be easily guessed or brute-forced. This vulnerability affects all users of IBM Maximo Asset Management 7.6.1.2, potentially compromising user accounts and system security.

📋 TL;DR

IBM Maximo Asset Management 7.6.1.2 does not enforce strong password policies by default, allowing weak passwords that can be easily guessed or brute-forced. This vulnerability affects all users of IBM Maximo Asset Management 7.6.1.2, potentially compromising user accounts and system security.

💻 Affected Systems

Products:

IBM Maximo Asset Management

Versions: 7.6.1.2

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects default configuration where password policy is not explicitly strengthened.

📦 What is this software?

Maximo Asset Management by Ibm

View all CVEs affecting Maximo Asset Management →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access through weak passwords, leading to complete system compromise, data theft, and unauthorized control over asset management operations.

🟠

Likely Case

Attackers compromise standard user accounts through password guessing or brute-force attacks, gaining access to sensitive asset data and performing unauthorized actions.

🟢

If Mitigated

With strong password policies enforced, account compromise risk is significantly reduced, though other authentication vulnerabilities could still exist.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user accounts but can be automated with password guessing tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply interim fix or upgrade as per IBM advisory

Vendor Advisory: https://www.ibm.com/support/pages/node/6557318

Restart Required: Yes

Instructions:

1. Review IBM advisory at provided URL
2. Apply recommended interim fix or upgrade
3. Restart Maximo services
4. Verify password policy enforcement

🔧 Temporary Workarounds

Enforce Strong Password Policy

all

Manually configure Maximo to require strong passwords (minimum length, complexity, expiration)

Configure via Maximo System Properties: mxe.security.passwordpolicy.* settings

🧯 If You Can't Patch

Implement multi-factor authentication for all accounts
Enforce network segmentation and limit access to Maximo systems

🔍 How to Verify

Check if Vulnerable:

Check if password policy is enforced by attempting to set weak passwords via user interface

Check Version:

Check Maximo version via application interface or database query

Verify Fix Applied:

Verify strong password requirements are enforced and cannot be bypassed

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from single source
Successful logins after many failures
Password change events to weak passwords

Network Indicators:

Brute-force attack patterns against authentication endpoints
Unusual authentication traffic

SIEM Query:

source="maximo" AND (event_type="login_failure" count>10 within 5min OR event_type="login_success" after multiple failures)

📊 Metadata

CVE ID: CVE-2021-38935

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-521

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/210892 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6557318 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/210892 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6557318 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38935, you might also want to check these: