CVE-2024-40684

Summary

IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

Affected Software

VendorProductVersion RangeStatus
IBMOperations Analytics - Log Analysis1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3 <= 7.2.0.14affected
IBMOperations Analytics - Log Analysis1.3.6.0, 1.3.6.1affected
IBMOperations Analytics - Log Analysis1.3.7.0, 1.3.7.1, 1.3.7.2affected
IBMOperations Analytics - Log Analysis1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4affected

Weaknesses

  • CWE-521: CWE-521 Weak Password Requirements

Workarounds

Implement the LDAP user registry in place of the database-managed custom user registry provided in Log Analysis. Refer to the link below for more information:

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References