CVE-2021-39063 – IBM Spectrum Protect Plus versions 10.1.0.0 thr... (How to Fix)

Q: What is the severity of CVE-2021-39063?

CVE-2021-39063 has a CVSS score of 9.1 (CRITICAL). IBM Spectrum Protect Plus versions 10.1.0.0 through 10.1.8.x have a CORS misconfiguration that allows attackers to perform privileged actions and access sensitive information. This affects all deployments using vulnerable versions of the software.

📋 TL;DR

IBM Spectrum Protect Plus versions 10.1.0.0 through 10.1.8.x have a CORS misconfiguration that allows attackers to perform privileged actions and access sensitive information. This affects all deployments using vulnerable versions of the software.

💻 Affected Systems

Products:

IBM Spectrum Protect Plus

Versions: 10.1.0.0 through 10.1.8.x

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with default CORS settings are vulnerable.

📦 What is this software?

Spectrum Protect Plus by Ibm

View all CVEs affecting Spectrum Protect Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing data theft, privilege escalation, and complete control over the backup infrastructure.

🟠

Likely Case

Unauthorized access to sensitive backup data, configuration information, and potential privilege escalation within the system.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls, though the vulnerability still exists.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can directly exploit this vulnerability without internal access.

🏢 Internal Only: MEDIUM - Requires attacker to have internal network access, but exploitation is still straightforward once access is obtained.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

CORS misconfigurations are well-understood attack vectors with readily available exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.9 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/6525346

Restart Required: Yes

Instructions:

1. Download IBM Spectrum Protect Plus 10.1.9 or later from IBM Fix Central. 2. Apply the update following IBM's installation procedures. 3. Restart all Spectrum Protect Plus services.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Spectrum Protect Plus web interface to trusted networks only.

Reverse Proxy CORS Controls

all

Configure reverse proxy to enforce proper CORS headers and restrict origins.

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Spectrum Protect Plus web interface.
Deploy a web application firewall (WAF) with CORS protection rules to block exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Check IBM Spectrum Protect Plus version via web interface or command line. Versions 10.1.0.0 through 10.1.8.x are vulnerable.

Check Version:

On Spectrum Protect Plus server: 'java -jar /opt/IBM/SPP/version.jar' or check web interface About page.

Verify Fix Applied:

Verify version is 10.1.9 or later and test CORS headers using browser developer tools or curl commands.

📡 Detection & Monitoring

Log Indicators:

Unusual CORS-related requests
Access from unexpected origins
Failed authentication attempts from new origins

Network Indicators:

HTTP requests with Origin headers to Spectrum Protect Plus endpoints
Cross-origin requests to administrative endpoints

SIEM Query:

source="spp_logs" AND (http_header="Origin" OR http_method="OPTIONS") AND NOT origin IN ["trusted_domains"]

📊 Metadata

CVE ID: CVE-2021-39063

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-346

Published: December 13, 2021

Last Updated: November 21, 2024

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/214956 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6525346 Patch,Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/214956 VDB Entry,Vendor Advisory
https://www.ibm.com/support/pages/node/6525346 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39063, you might also want to check these: