CVE-2023-40694 – IBM Watson CP4D Data Stores versions 4.0.0 thro... (How to Fix)

Q: What is the severity of CVE-2023-40694?

CVE-2023-40694 has a CVSS score of 6.2 (MEDIUM). IBM Watson CP4D Data Stores versions 4.0.0 through 4.8.4 store sensitive information in log files that could be read by local users. This information disclosure vulnerability allows attackers with local access to potentially obtain credentials or other sensitive data. Organizations using affected versions of IBM Watson CP4D Data Stores are impacted.

📋 TL;DR

IBM Watson CP4D Data Stores versions 4.0.0 through 4.8.4 store sensitive information in log files that could be read by local users. This information disclosure vulnerability allows attackers with local access to potentially obtain credentials or other sensitive data. Organizations using affected versions of IBM Watson CP4D Data Stores are impacted.

💻 Affected Systems

Products:

IBM Watson CP4D Data Stores

Versions: 4.0.0 through 4.8.4

Operating Systems: All platforms running IBM Watson CP4D Data Stores

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with default logging configurations are vulnerable. The vulnerability exists in the logging mechanism itself.

📦 What is this software?

Watson Cp4d Data Stores by Ibm

View all CVEs affecting Watson Cp4d Data Stores →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers obtain administrative credentials or other highly sensitive data from logs, leading to full system compromise or data exfiltration.

🟠

Likely Case

Local users or attackers with basic access read sensitive configuration details, API keys, or partial credentials from log files.

🟢

If Mitigated

With proper access controls and log file permissions, only authorized administrators can access logs, limiting exposure.

🌐 Internet-Facing: LOW - This requires local access to the system, not directly exploitable over the network.

🏢 Internal Only: MEDIUM - Internal users with local access could exploit this to gain sensitive information.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to read log files. No authentication bypass is needed if the attacker already has local user access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.8.5 and later

Vendor Advisory: https://www.ibm.com/support/pages/node/7150286

Restart Required: Yes

Instructions:

1. Upgrade IBM Watson CP4D Data Stores to version 4.8.5 or later. 2. Apply the fix through the IBM Cloud Pak for Data administration console. 3. Restart the Data Stores service after patching.

🔧 Temporary Workarounds

Restrict log file permissions

linux

Set strict file permissions on log directories to prevent unauthorized local users from reading sensitive logs.

chmod 600 /path/to/cp4d/logs/*
chown root:root /path/to/cp4d/logs/*

Enable log redaction

all

Configure IBM Watson CP4D to redact sensitive information from logs before writing them.

🧯 If You Can't Patch

Implement strict access controls on log directories to limit read access to authorized administrators only.
Regularly monitor and audit log file access to detect unauthorized reading attempts.

🔍 How to Verify

Check if Vulnerable:

Check the IBM Watson CP4D Data Stores version via the administration console or command: `oc get pods -n <namespace> -l app=cp4d-datastores` and verify version is between 4.0.0 and 4.8.4.

Check Version:

oc get pods -n <namespace> -l app=cp4d-datastores -o jsonpath='{.items[*].metadata.labels.version}'

Verify Fix Applied:

Confirm version is 4.8.5 or later using the same command, and verify log files no longer contain sensitive information in plain text.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to log files
Log entries containing sensitive data like passwords or API keys

Network Indicators:

None - this is a local information disclosure vulnerability

SIEM Query:

source="cp4d_logs" AND (event="file_access" AND file_path="*log*" AND user NOT IN ["authorized_users"])

📊 Metadata

CVE ID: CVE-2023-40694

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: May 7, 2024

Last Updated: August 20, 2025

🔗 References

https://exchange.xforce.ibmcloud.com/vulnerabilities/264838 Vendor Advisory
https://www.ibm.com/support/pages/node/7150286 Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/264838 Vendor Advisory
https://www.ibm.com/support/pages/node/7150286 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-40694, you might also want to check these: