CVE-2023-38281 Overview
IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
Critical Impact
Session cookies transmitted without the secure flag can be intercepted over unencrypted HTTP connections, potentially leading to session hijacking and unauthorized access to IBM Cloud Pak System environments.
Affected Products
- IBM Cloud Pak System
Discovery Timeline
- 2026-02-04 - CVE CVE-2023-38281 published to NVD
- 2026-02-05 - Last updated in NVD database
Technical Details for CVE-2023-38281
Vulnerability Analysis
This vulnerability stems from a fundamental misconfiguration in how IBM Cloud Pak System handles session cookie security attributes. When cookies lack the Secure flag, web browsers will transmit them over both HTTP and HTTPS connections. This creates an opportunity for network-based attackers to intercept authentication tokens and session identifiers when users access any HTTP resource—even inadvertently.
The attack scenario involves an adversary either sending a malicious HTTP link to a victim or injecting such links into websites the victim frequents. When the victim's browser follows these links, it automatically includes the insecure cookies in the request, which travel in plaintext over the network. An attacker positioned to observe network traffic (such as on a shared Wi-Fi network or through a compromised router) can capture these cookies and use them to impersonate the legitimate user.
Root Cause
The root cause is the absence of the Secure attribute on authorization tokens and session cookies within IBM Cloud Pak System. This configuration oversight (related to CWE-209) allows sensitive authentication data to be transmitted over unencrypted channels. Properly configured cookies should include the Secure flag, which instructs browsers to only transmit the cookie over HTTPS connections, preventing exposure during HTTP requests.
Attack Vector
The attack vector is network-based and requires the attacker to position themselves to intercept traffic between the victim and the target server. Common scenarios include:
- Man-in-the-Middle (MitM) Position: Attacker on shared network infrastructure (public Wi-Fi, compromised network)
- Link Injection: Attacker plants HTTP links in emails, websites, or applications that victims may access
- Traffic Sniffing: Passive network monitoring to capture cookies transmitted in plaintext
Once the attacker captures the session cookie, they can replay it to gain authenticated access to the IBM Cloud Pak System as the victim user.
The vulnerability can be triggered when a user visits an HTTP URL while authenticated to the IBM Cloud Pak System. The browser sends the session cookie in the HTTP request, which can be captured by network eavesdropping. For technical details, refer to the IBM Support Article.
Detection Methods for CVE-2023-38281
Indicators of Compromise
- Unusual session activity from unexpected IP addresses or geographic locations
- Multiple concurrent sessions from the same user account originating from different endpoints
- Authentication events that bypass typical user login workflows
- Session tokens being used after the legitimate user has logged out
Detection Strategies
- Monitor HTTP access logs for requests to IBM Cloud Pak System resources that should be HTTPS-only
- Implement network traffic analysis to detect sensitive cookies transmitted over unencrypted connections
- Review web application firewall logs for HTTP requests containing session tokens
- Deploy intrusion detection rules to identify potential session hijacking patterns
Monitoring Recommendations
- Enable detailed logging for authentication and session management events
- Configure alerts for session anomalies such as geographic impossibilities or rapid IP changes
- Implement continuous monitoring for HTTP traffic to hosts that should only accept HTTPS
- Regularly audit cookie security configurations across the environment
How to Mitigate CVE-2023-38281
Immediate Actions Required
- Apply the latest security patches from IBM for Cloud Pak System immediately
- Implement HTTP Strict Transport Security (HSTS) headers to force HTTPS connections
- Review and invalidate any active sessions that may have been compromised
- Configure network security controls to block or alert on HTTP access to sensitive systems
Patch Information
IBM has released a security advisory addressing this vulnerability. Administrators should apply the updates referenced in the IBM Support Article as soon as possible. Ensure your IBM Cloud Pak System is updated to the latest patched version that properly sets the Secure attribute on all authentication-related cookies.
Workarounds
- Force all connections through HTTPS by configuring load balancers or reverse proxies to redirect HTTP to HTTPS
- Implement HSTS headers with appropriate max-age values to prevent downgrade attacks
- Use network segmentation to limit exposure of the Cloud Pak System to trusted networks only
- Consider deploying a web application firewall (WAF) to detect and block potential cookie theft attempts
# Configuration example - Add HSTS header via web server (Apache example)
# Add to your virtual host configuration for the Cloud Pak System
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
# Redirect all HTTP traffic to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
