CVE-2023-38281
📋 TL;DR
IBM Cloud Pak System fails to set the secure attribute on authorization tokens and session cookies, making them vulnerable to interception when transmitted over HTTP. Attackers can exploit this by tricking users into visiting malicious HTTP links, potentially compromising session data. This affects IBM Cloud Pak System deployments where cookies are transmitted without proper security flags.
💻 Affected Systems
- IBM Cloud Pak System
📦 What is this software?
Os Image For Red Hat Linux Systems by Ibm
View all CVEs affecting Os Image For Red Hat Linux Systems →
Os Image For Red Hat Linux Systems by Ibm
View all CVEs affecting Os Image For Red Hat Linux Systems →
Os Image For Red Hat Linux Systems by Ibm
View all CVEs affecting Os Image For Red Hat Linux Systems →
Os Image For Red Hat Linux Systems by Ibm
View all CVEs affecting Os Image For Red Hat Linux Systems →
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal valid session cookies and impersonate legitimate users, gaining unauthorized access to sensitive administrative functions and data within IBM Cloud Pak System.
Likely Case
Session hijacking where attackers capture user sessions through man-in-the-middle attacks on unencrypted connections, leading to unauthorized access to application functions.
If Mitigated
With proper HTTPS enforcement and secure cookie attributes, the risk is significantly reduced as cookies won't be transmitted over insecure channels.
🎯 Exploit Status
Exploitation requires attackers to intercept HTTP traffic or trick users into visiting malicious HTTP links targeting the vulnerable system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: IBM Cloud Pak System 2.3.3.5 iFix 1
Vendor Advisory: https://www.ibm.com/support/pages/node/7254419
Restart Required: Yes
Instructions:
1. Download IBM Cloud Pak System 2.3.3.5 iFix 1 from IBM Fix Central. 2. Apply the fix following IBM's installation procedures. 3. Restart affected services. 4. Verify secure attribute is now set on all session cookies.
🔧 Temporary Workarounds
Enforce HTTPS Only
allConfigure web server to redirect all HTTP traffic to HTTPS and disable HTTP access entirely
# Configure web server (e.g., Apache/Nginx) to redirect HTTP to HTTPS
# Set HSTS headers to enforce HTTPS
Application Layer Cookie Security
allConfigure application to set secure, HttpOnly, and SameSite attributes on all cookies
# Application-specific configuration to set cookie security attributes
🧯 If You Can't Patch
- Deploy network segmentation to isolate IBM Cloud Pak System from untrusted networks
- Implement strict access controls and monitor for suspicious cookie transmission over HTTP
🔍 How to Verify
Check if Vulnerable:
Inspect browser developer tools or use curl to check if session cookies lack the 'secure' attribute when accessing the systemCheck Version:
Check IBM Cloud Pak System version through administrative interface or system documentationVerify Fix Applied:
Verify cookies now include 'secure' flag and system redirects HTTP to HTTPS📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login from different IP
- Session cookies transmitted over HTTP in logs
Network Indicators:
- HTTP traffic containing session cookies to IBM Cloud Pak System
- Unencrypted authentication traffic
SIEM Query:
source="web_server" AND (uri CONTAINS "/api/session" OR cookie CONTAINS "JSESSIONID") AND protocol="http"