Release Notes
Abstract
This document provides information about improving pattern security in IBM PureApplication System or IBM Cloud Pak System from a weak password policy perspective.
Content
Security vulnerability details
CVEID: CVE-2019-4235
DESCRIPTION: IBM Pure Application System does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/159417 for the current score.
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
To address the above security vulnerability, the existing password policy has been enhanced in IBM PureApplication System V2.2.6.0 or IBM Cloud Pak System V2.3.0.x.
What to expect with the new changes
- minimum number of characters in password: 8
- minimum number of alphabetic characters in password: 1
- minimum number of non-alphabetic characters in password: 1
During pattern deployment, the password field(s) is validated against the defined password policy, if any of the above policies are violated, the following error message is displayed:
CMPRE0016E: The given password violates password policy for pattern deployments. The password length must be at least 8.
CMPRE0015E: The given password violates password policy for pattern deployments. Password must contain at least one numeric and one alphabet characters.
If a user opens an existing pattern deployment and edits the password in pattern builder editor and saves it, the new password policy will apply.
In case of system version upgrade from a lower version to IBM PureApplication System V2.2.6.0 or IBM Cloud Pak System V2.3.0.x, the upgrade does not affect the existing deployed pattern instances. But, when a new pattern instance to be deployed the password policy will apply.
User types
- Admin user: The behaviour for both, admin and non-admin, is similar. The saved password must conform to the password policy, else the password must be reset for the new password policy. No impact on existing deployments.
- Non-admin user: case of non-admin user, the password is masked by a default password for security reasons. Therefore, this default password will not conform to the password policy. So, the password must be reset during the new deployments. No impact on existing deployments.
- LDAP user: Any of the above aspects can apply.
Frequently Asked Questions (FAQ)
- Q: Is it possible to loosen or disable the policy by users (officially/unofficially)?
- A: No, it is not possible to change the enforced policy in IBM PureApplication System V2.2.6.0 or IBM Cloud Pak System V2.3.0.x.
- Q: There are many existing locked patterns with weak passwords. How can they enable them again? Do they need to clone all of them and change the passwords?
- A: Yes, the default passwords will need to be changed in the pattern editor, after cloning them and making them editable. When existing patterns are deployed either as a new instance or if the pattern is edited and then deployed, then the new password policy enforcement will take effect.
- Q: At the deployment page, the error message does not show which password is violating the policy. A pattern can contain multiple userid/password fields and they need to type again all of them sometimes.
- A: Yes, the specific password field which has a non-confirming password policy is currently not highlighted.
- Q: How will the password policy apply to existing patterns?
- A: Existing pattern deployments will remain unaffected and will continue to work with the previously saved passwords, even though they may not conform to the password policy. When existing patterns are deployed either as a new instance or if the pattern is edited, then the new password policy enforcement will take effect.
Original Publication Date
28 June 2019
Was this topic helpful?
Document Information
Modified date:
06 May 2020
UID
ibm10957267