CVE-2024-22351
📋 TL;DR
IBM InfoSphere Information Server 11.7 fails to properly invalidate user sessions after logout, allowing authenticated users to reuse old session tokens to impersonate other users. This affects organizations using IBM InfoSphere Information Server 11.7 for data integration and governance. The vulnerability requires an authenticated user to exploit.
💻 Affected Systems
- IBM InfoSphere Information Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious user could steal another user's active session and gain unauthorized access to sensitive data, modify data integration workflows, or escalate privileges within the InfoSphere environment.
Likely Case
An authenticated user could reuse their own or another user's session after logout to maintain access or access resources they shouldn't have access to, potentially leading to data exposure or unauthorized actions.
If Mitigated
With proper session management controls and monitoring, the impact is limited to temporary unauthorized access that can be detected and revoked.
🎯 Exploit Status
Exploitation requires an authenticated user session. The attacker needs to capture or predict valid session tokens that should have been invalidated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fix pack 11.7.1.4 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7229921
Restart Required: Yes
Instructions:
1. Download the latest fix pack from IBM Fix Central. 2. Apply the fix pack following IBM's installation instructions. 3. Restart the InfoSphere Information Server services. 4. Verify the fix by testing session invalidation after logout.
🔧 Temporary Workarounds
Implement Session Timeout
allConfigure shorter session timeout values to limit the window where stale sessions could be reused.
Configure in InfoSphere Administration Console: Security > Session Management > Set appropriate timeout values
Force Logout All Users
allPeriodically force all users to re-authenticate to clear potentially stale sessions.
Schedule periodic service restarts or use administrative tools to invalidate all sessions
🧯 If You Can't Patch
- Implement network segmentation to restrict access to InfoSphere servers to only authorized users and systems.
- Enable detailed session logging and monitor for suspicious session reuse patterns.
🔍 How to Verify
Check if Vulnerable:
Check if running IBM InfoSphere Information Server version 11.7 without fix pack 11.7.1.4 or later applied.Check Version:
Check the version in the InfoSphere Administration Console or run: /opt/IBM/InformationServer/ASBServer/bin/versionInfo.sh (Linux) or equivalent on WindowsVerify Fix Applied:
After applying the fix, test by logging in, performing actions, logging out, then attempting to reuse the same session token - it should be rejected.📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from same session ID after logout events
- Session reuse from different IP addresses or user agents
- Unusual session duration patterns
Network Indicators:
- Repeated authentication requests with same session tokens
- Session tokens being used after logout events
SIEM Query:
source="infosphere_logs" AND (event_type="session_reuse" OR (event_type="logout" AND subsequent_event="successful_auth" WITH same session_id))