CVE-2024-56463
📋 TL;DR
IBM QRadar SIEM 7.5 contains a cross-site scripting vulnerability that allows privileged users to inject malicious JavaScript into the web interface. This could enable attackers to steal credentials or perform unauthorized actions within authenticated sessions. Only users with administrative privileges can exploit this vulnerability.
💻 Affected Systems
- IBM QRadar SIEM
📦 What is this software?
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
Qradar Security Information And Event Manager by Ibm
View all CVEs affecting Qradar Security Information And Event Manager →
⚠️ Risk & Real-World Impact
Worst Case
Privileged attacker steals administrator credentials, gains full system control, and compromises the entire security monitoring infrastructure.
Likely Case
Privileged insider or compromised admin account performs session hijacking to steal other user credentials or manipulate security alerts.
If Mitigated
Limited to credential theft from users who interact with malicious UI elements, but restricted by privilege requirements.
🎯 Exploit Status
Exploitation requires authenticated privileged access; attack is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply fix per IBM Security Bulletin
Vendor Advisory: https://www.ibm.com/support/pages/node/7183251
Restart Required: Yes
Instructions:
1. Review IBM Security Bulletin. 2. Download appropriate fix from IBM Fix Central. 3. Apply fix following QRadar update procedures. 4. Restart QRadar services as required.
🔧 Temporary Workarounds
Restrict Privileged Access
allLimit administrative accounts to only essential personnel and implement strict access controls.
Content Security Policy
allImplement CSP headers to restrict script execution from unauthorized sources.
🧯 If You Can't Patch
- Implement strict least-privilege access controls for QRadar administrative accounts
- Monitor privileged user activity and implement session timeouts for QRadar web interface
🔍 How to Verify
Check if Vulnerable:
Check QRadar version via Admin > System & License Management > Deployment StatusCheck Version:
ssh admin@qradar-host 'cat /opt/qradar/VERSION'Verify Fix Applied:
Verify patch installation via Admin > System & License Management > Installed Updates📡 Detection & Monitoring
Log Indicators:
- Unusual administrative user activity
- Multiple failed login attempts followed by successful privileged access
- Suspicious JavaScript payloads in web logs
Network Indicators:
- Unusual outbound connections from QRadar server following admin login
SIEM Query:
source="qradar" AND (event="ADMIN_LOGIN" OR event="PRIVILEGED_ACTION") | stats count by user