CVE-2025-1334
📋 TL;DR
This vulnerability in IBM QRadar Suite and Cloud Pak for Security allows local users to read web pages stored locally by other users on the same system. It affects organizations running vulnerable versions of these IBM security products, potentially exposing sensitive configuration or operational data.
💻 Affected Systems
- IBM QRadar Suite Software
- IBM Cloud Pak for Security
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
A malicious local user could access sensitive web pages containing configuration details, credentials, or operational data stored by other users, leading to privilege escalation or data exposure.
Likely Case
Accidental information leakage where one legitimate user's locally stored web pages become accessible to another user on the same system, potentially exposing non-critical operational data.
If Mitigated
With proper access controls and user separation, impact is minimal as only non-sensitive cached web content might be accessible.
🎯 Exploit Status
Exploitation requires local user access to the system. No authentication bypass needed beyond having a local account.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QRadar Suite 1.11.2.1 or later; Cloud Pak for Security 1.10.11.1 or later
Vendor Advisory: https://www.ibm.com/support/pages/node/7235432
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download and apply the latest patch from IBM Fix Central. 3. Restart the affected services. 4. Verify the patch applied successfully.
🔧 Temporary Workarounds
Restrict local user access
linuxLimit local user accounts to only necessary administrative users
# Review and remove unnecessary local users
cat /etc/passwd | grep -E '^(qradar|ibm)'
# Use sudo policies to restrict access
visudo
Implement file permission hardening
linuxTighten permissions on web cache directories
# Set restrictive permissions on web cache directories
find /opt/ibm/ -name '*cache*' -type d -exec chmod 700 {} \;
find /var/cache/ -name '*ibm*' -type d -exec chmod 700 {} \;
🧯 If You Can't Patch
- Implement strict user access controls to limit local user accounts
- Monitor for unusual file access patterns in system logs
🔍 How to Verify
Check if Vulnerable:
Check installed version: For QRadar: cat /opt/qradar/version.txt; For Cloud Pak: ibmcloud pak list | grep securityCheck Version:
QRadar: cat /opt/qradar/version.txt; Cloud Pak: ibmcloud pak list | grep -A2 securityVerify Fix Applied:
Verify version is patched: QRadar Suite >=1.11.2.1 or Cloud Pak for Security >=1.10.11.1📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in /opt/ibm/ directories
- Multiple user accounts accessing same web cache files
Network Indicators:
- N/A - local file access only
SIEM Query:
source="*syslog*" AND ("Permission denied" OR "access denied") AND path="*/opt/ibm/*"