CVE-2024-40684 PUBLISHED

IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate Account Lockout Mechanism

Assigner: ibm
Reserved: 08.07.2024 Published: 27.05.2026 Updated: 27.05.2026

IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 5.9

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	IBM
Product	Operations Analytics - Log Analysis
Versions	affected from 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3 to 7.2.0.14 (incl.) Version 1.3.6.0, 1.3.6.1 is affected Version 1.3.7.0, 1.3.7.1, 1.3.7.2 is affected Version 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 is affected

Workarounds

Implement the LDAP user registry in place of the database-managed custom user registry provided in Log Analysis. Refer to the link below for more information:

Configuring LDAP authentication in IBM Operations Analytics for Log Analysis 1.3.7 https://www.ibm.com/docs/en/oala/1.3.7
Configuring LDAP authentication in IBM Operations Analytics for Log Analysis 1.3.8 https://www.ibm.com/docs/en/oala/1.3.8

Solutions

None

References

https://www.ibm.com/support/pages/node/7268536

Problem Types

CWE-521 Weak Password Requirements CWE