Login Sign Up

CVE-2021-38941

8.1 HIGH

📋 TL;DR

IBM CloudPak for Multicloud Monitoring 2.0 and 2.3 runs some containers in privileged mode, allowing unauthorized users who gain access to these containers to execute arbitrary commands that could leak sensitive host information or cause system destruction. This affects organizations using these specific versions of IBM's monitoring platform.

💻 Affected Systems

Products:
  • IBM CloudPak for Multicloud Monitoring
Versions: 2.0 and 2.3
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments with containers running in privileged mode. The vulnerability exists in specific container configurations within the platform.

📦 What is this software?

Cloud Pak For Multicloud Management Monitoring by Ibm

View all CVEs affecting Cloud Pak For Multicloud Management Monitoring →

Cloud Pak For Multicloud Management Monitoring by Ibm

View all CVEs affecting Cloud Pak For Multicloud Management Monitoring →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete host compromise leading to data exfiltration, service disruption, or destruction of the underlying infrastructure.

🟠

Likely Case

Unauthorized access to container environments resulting in information leakage about the host system and potential lateral movement.

🟢

If Mitigated

Limited impact due to network segmentation and proper access controls preventing unauthorized container access.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires unauthorized access to the vulnerable containers first. The privileged mode then escalates the impact of that access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply fixes as per IBM Security Bulletin

Vendor Advisory: https://www.ibm.com/support/pages/node/6599639

Restart Required: Yes

Instructions:

1. Review IBM Security Bulletin. 2. Apply recommended patches or updates. 3. Restart affected containers/services. 4. Verify containers are no longer running in privileged mode.

🔧 Temporary Workarounds

Remove Privileged Mode from Containers

linux

Manually reconfigure vulnerable containers to run without privileged mode where possible.

docker update --security-opt=no-new-privileges <container_id>
kubectl patch deployment <deployment_name> -p '{"spec":{"template":{"spec":{"containers":[{"name":"<container_name>","securityContext":{"privileged":false}}]}}}}'

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate vulnerable containers from sensitive systems.
  • Enforce strong authentication and access controls to prevent unauthorized container access.

🔍 How to Verify

Check if Vulnerable:

Check container configurations for privileged mode: docker inspect <container_id> | grep -i privileged or kubectl get pods -o json | grep -i privileged

Check Version:

Check IBM CloudPak version via platform administration interface or kubectl get pods -l app=<component> -o jsonpath='{.items[*].metadata.labels.version}'

Verify Fix Applied:

Verify containers are no longer running in privileged mode using the same inspection commands and confirm they return false or no privileged settings.

📡 Detection & Monitoring

Log Indicators:

  • Unusual container privilege escalation attempts
  • Unexpected commands executed from container contexts
  • Access to host resources from container processes

Network Indicators:

  • Unexpected network connections from containers to sensitive hosts
  • Data exfiltration patterns from container environments

SIEM Query:

container.privileged:true AND (event.action:exec OR process.name:sh)

📊 Metadata

CVE ID: CVE-2021-38941
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Published: June 30, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON