{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-40684","assignerOrgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","state":"PUBLISHED","assignerShortName":"ibm","dateReserved":"2024-07-08T19:30:52.530Z","datePublished":"2026-05-27T13:48:59.081Z","dateUpdated":"2026-05-27T15:33:16.940Z"},"containers":{"cna":{"providerMetadata":{"orgId":"9a959283-ebb5-44b6-b705-dcc2bbced522","shortName":"ibm","dateUpdated":"2026-05-27T13:48:59.081Z"},"title":"IBM Operations Analytics - Log Analysis is affected by Weak Password Policy and Inadequate Account Lockout Mechanism","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-521","description":"CWE-521 Weak Password Requirements","type":"CWE"}]}],"affected":[{"vendor":"IBM","product":"Operations Analytics - Log Analysis","versions":[{"status":"affected","version":"1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3","lessThanOrEqual":"7.2.0.14","versionType":"semver"},{"status":"affected","version":"1.3.6.0, 1.3.6.1"},{"status":"affected","version":"1.3.7.0, 1.3.7.1, 1.3.7.2"},{"status":"affected","version":"1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4"}],"cpes":["cpe:2.3:a:ibm:operations_analytics___log_analysis:1.3.5.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:operations_analytics___log_analysis:1.3.6.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:operations_analytics___log_analysis:1.3.7.0:*:*:*:*:*:*:*","cpe:2.3:a:ibm:operations_analytics___log_analysis:1.3.8.0:*:*:*:*:*:*:*"]}],"descriptions":[{"lang":"en","value":"IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>IBM Operations Analytics - Log Analysis 1.3.5.0, 1.3.5.1, 1.3.5.2, 1.3.5.3, 1.3.6.0, 1.3.6.1, 1.3.7.0, 1.3.7.1, 1.3.7.2, and 1.3.8.0, 1.3.8.1, 1.3.8.2, 1.3.8.3, 1.3.8.4 IBM SmartCloud Analytics - Log Analysis does not require that users should have strong passwords by default, which makes it easier for attackers to compromise user accounts.</p>"}]}],"references":[{"url":"https://www.ibm.com/support/pages/node/7268536","tags":["vendor-advisory","patch"]}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseSeverity":"MEDIUM","baseScore":5.9,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}}],"workarounds":[{"lang":"en","value":"Implement the LDAP user registry in place of the database-managed custom user registry provided in Log Analysis. Refer to the link below for more information:\n\n  *   Configuring LDAP authentication in IBM Operations Analytics for Log Analysis 1.3.7 https://www.ibm.com/docs/en/oala/1.3.7 \n  *   Configuring LDAP authentication in IBM Operations Analytics for Log Analysis 1.3.8 https://www.ibm.com/docs/en/oala/1.3.8","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>Implement the LDAP user registry in place of the database-managed custom user registry provided in Log Analysis. Refer to the link below for more information:</p><ul><li><a href=\"https://www.ibm.com/docs/en/oala/1.3.7?topic=authentication-ldap\" rel=\"noopener noreferrer nofollow\">Configuring LDAP authentication in IBM Operations Analytics for Log Analysis 1.3.7</a></li><li><a href=\"https://www.ibm.com/docs/en/oala/1.3.8?topic=authentication-ldap\" rel=\"noopener noreferrer nofollow\">Configuring LDAP authentication in IBM Operations Analytics for Log Analysis 1.3.8</a></li></ul><p></p>"}]}],"solutions":[{"lang":"en","value":"None","supportingMedia":[{"type":"text/html","base64":false,"value":"<p>None</p>"}]}],"x_generator":{"engine":"ibm-cvegen"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-05-27T15:33:10.583591Z","id":"CVE-2024-40684","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-27T15:33:16.940Z"}}]}}