IBM OpenPages with Watson Encryption Vulnerability Allowing Data Extraction

A vulnerability exists in IBM OpenPages with Watson versions 8.3 and 9.0, where AES encryption in CBC mode may not provide adequate security for stored data. This flaw could allow an authenticated remote attacker with database access, or a local attacker with access to server files, to extract encrypted data values. Exploiting this vulnerability could lead to the use of additional cryptographic methods to potentially retrieve the encrypted data.

Impact

Exploitation of this vulnerability could result in unauthorized extraction of encrypted data, which could then be decrypted using additional cryptographic methods due to the weakness in the encryption algorithm.

Remediation

Users of IBM OpenPages 9.0 should upgrade to version 9.0 FixPack 5 or later. Users of IBM OpenPages 8.3 should upgrade to version 8.3 FixPack 3, followed by 8.3.03 Interim Fix 1. Instructions for downloading these updates are available on the IBM Support website.