CVE-2022-22480 IBM QRadar SIEM 7.4 and 7.5 data node rebalancing doesn't work correctly with encrypted hosts, which could lead to information disclosure.
When using a large number of virtual servers in a data center or hosting provider environment, it is common to use different physical hosts which are used for different roles. For example, one physical host could be used as the load balancer, another as the database server, etc. When data node distribution is configured, X-Force ID 225889 occurs when a data node cannot be distributed to the appropriate physical host for that data node. As a result, the data node is distributed to the wrong physical host and data integrity is compromised. IBM X-Force ID: 225889. QRadar 7.4 and 7.5 data node distribution does not function correctly when using encrypted hosts. This issue occurs when a host with an X.509 certificate is encrypted. X-Force ID: 225889. When X.509 encrypted hosts are selected for data node distribution, the data node is distributed to a different host than was intended. As a result, data integrity is compromised.
How to know if you are affected by this issue
1. Check if your data node distribution is configured properly
2. If the issue persists, check if you have a X.509 certificate encrypted host selected for data node distribution
How do I know if I am affected?
You are affected if you have a large number of virtual servers in a data center or hosting provider environment, and you have configured the data node distribution. If you find that X-Force ID 225889 is appearing in your logs when using data node distribution, then your system is affected by this issue.
How do I know if my system is affected?
If you are using encrypted hosts for data node distribution and you notice that X-Force ID 225889 occurs when trying to distribute a data node, your system is affected by this issue.
How to remediate
- Deploy X.509 certificates to all hosts in the environment.
- Run "z/OS CEPUTOOL SITM UPDATE USER MAPPING" to map physical hosts with certificates.
- Run "z/OS CEPUTOOL SITM UPDATE USER MAPPING" to map data nodes to physical hosts.
QRadar 7.4 and QRadar 7.5 data node distribution fails when using encrypted hosts
When using a large number of virtual servers in a data center or hosting provider environment, it is common to use different physical hosts which are used for different roles. For example, one physical host could be used as the load balancer, another as the database server, etc. When data node distribution is configured, X-Force ID 225889 occurs when a data node cannot be distributed to the appropriate physical host for that data node. As a result, the data node is distributed to the wrong physical host and data integrity is compromised. IBM X-Force ID: 225889. QRadar 7.4 and 7.5 data node distribution does not function correctly when using encrypted hosts. This issue occurs when a host with an X.509 certificate is encrypted. X-Force ID: 225889. When X.509 encrypted hosts are selected for data node distribution, the data node is distributed to a different host than was intended. As a result, data integrity is compromised.