{"id":2089,"date":"2025-04-28T22:33:23","date_gmt":"2025-04-28T22:33:23","guid":{"rendered":"http:\/\/localhost\/?p=2089"},"modified":"2025-04-28T22:33:23","modified_gmt":"2025-04-28T22:33:23","slug":"security-bulletin-ibm-security-verify-information-queue-does-not-always-enable-http-strict-transport","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=2089","title":{"rendered":"Security Bulletin: IBM Security Verify Information Queue does not always enable HTTP Strict Transport Security when sending error responses (CVE-2021-20409)"},"content":{"rendered":"
\n

Vulnerability Details<\/h2>\n
\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Title<\/th>\nSecurity Bulletin: IBM Security Verify Information Queue does not always enable HTTP Strict Transport Security when sending error responses (CVE-2021-20409)<\/td>\n<\/tr>\n
Type<\/th>\nibm<\/td>\n<\/tr>\n
Published<\/th>\n2025-04-28T20:41:23<\/td>\n<\/tr>\n
Last Seen<\/th>\n2025-04-29T02:56:45<\/td>\n<\/tr>\n
CVSS Score<\/th>\n7.5 (HIGH)<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVSS v3 Details<\/h3>\n\n\n\n\n\n\n\n\n\n
Attack Vector<\/th>\nNETWORK<\/td>\n<\/tr>\n
Attack Complexity<\/th>\nLOW<\/td>\n<\/tr>\n
Privileges Required<\/th>\nNONE<\/td>\n<\/tr>\n
User Interaction<\/th>\nNONE<\/td>\n<\/tr>\n
Scope<\/th>\nUNCHANGED<\/td>\n<\/tr>\n
Confidentiality Impact<\/th>\nHIGH<\/td>\n<\/tr>\n
Integrity Impact<\/th>\nNONE<\/td>\n<\/tr>\n
Availability Impact<\/th>\nNONE<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

CVE Information<\/h3>\n\n\n\n\n
CVE IDs<\/th>\nCVE-2021-20409<\/td>\n<\/tr>\n
CWE<\/th>\n<\/td>\n<\/tr>\n
Bulletin Family<\/th>\nsoftware<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

Description<\/h3>\n
\n ## Summary<\/p>\n

The web server in IBM Security Verify Information Queue (ISIQ) does not add the HTTP Strict Transport Security header in its internally generated error responses. Consequently, a remote attacker could obtain sensitive information from an insecure HTTP connection. As of v10.0.0, ISIQ is setting the Strict Transport Security header for all responses.<\/p>\n

## Vulnerability Details<\/p>\n

**CVEID:**CVE-2021-20409
\n**DESCRIPTION:** IBM Security Verify Information Queue could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
\nCVSS Base score: 5.9
\nCVSS Temporal Score: See: https:\/\/exchange.xforce.ibmcloud.com\/vulnerabilities\/196188 for the current score.
\nCVSS Vector: (CVSS:3.0\/AV:N\/AC:H\/PR:N\/UI:N\/S:U\/C:H\/I:N\/A:N)<\/p>\n

## Affected Products and Versions<\/p>\n

Affected Product(s) | Version(s)
\n—|—
\nIBM Security Verify Information Queue | 1.0.6, 1.0.7 <\/p>\n

## Remediation\/Fixes<\/p>\n

Download and install the latest IBM Security Verify Information Queue images (tagged at 10.0.0 or greater) from the Docker Hub repository. The instructions for accessing and deploying the images can be found on the ISIQ starter kit page: https:\/\/www.ibm.com\/support\/pages\/ibm-security-information-queue-starter-kit<\/p>\n

## Workarounds and Mitigations<\/p>\n

None<\/p>\n

##\n <\/p><\/div>\n<\/p><\/div>\n

\n

Impact Assessment<\/h3>\n\n\n\n
Base Score<\/th>\n7.5<\/td>\n<\/tr>\n
Severity<\/th>\nHIGH<\/td>\n<\/tr>\n<\/table><\/div>\n
\n

View full CVE details<\/a><\/p>\n<\/p><\/div>\n<\/div>\n