Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to glibc, Golang Go , Apache HTTP, IBM GSKit-Crypto and GnuTLS packages/liberaries .

Summary IBM MQ Operator and Queue manager container images are vulnerable to glibc, Golang Go , Apache HTTP, IBM GSKit-Crypto and GnuTLS. This bulletin identifies the steps required to address these vulnerabilities. Vulnerability Details CVEID:CVE-2024-33599 DESCRIPTION: glibc is vulnerable to a...

Security Bulletin: Multiple Vulnerabilities in IBM® Runtime Environment Java™ Technology Edition affects WebSphere eXtreme Scale

Summary There are multiple vulnerabilities in IBM Runtime Environment Java Version 8 used by WebSphere eXtreme Scale. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow a remote attacker to cause high...

Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to protobuf-go, libcurl, libexpat, Java SE, IBM GSKit-Crypto, open redirect, buffer overflow condition and golang-fips/openssl vulnerabilities.

Summary IBM MQ Operator and Queue manager container images are vulnerable to protobuf-go, libcurl, libexpat, golang-fips/openssl which were identified in RedHat UBI. IBM MQ is vulnerable to a buffer overflow condition, phishing attacks in open redirect , Java SE, IBM GSKit-Crypto. This bulletin...

Security Bulletin: Vulnerabilities in IBM Java SDK (CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, CVE-2023-33850) affect Power HMC

Summary IBM Java SDK is used by Power Hardware Management Console HMC. Since V10R1 is a Java 8 based HMC, HMC has addressed the affected CVEs, which were specific to Java 8: CVE-2024-20952, CVE-2024-20918, CVE-2024-20921, CVE-2024-20926, CVE-2024-20945, and CVE-2023-33850. The specified CVEs have...

Security Bulletin: IBM MQ is affected by multiple vulnerabilities in the IBM Runtime Environment, Java Technology Edition (CVE-2024-20952 and CVE-2023-33850)

Summary Multiple issues were identified with IBM Runtime Environment, Java Technology Edition, Version 8 which is shipped with IBM MQ. CVE-2023-33850 covers the GSKIT-Crypto ICC package used by IBM Runtime Environment, Java Technology Edition. This is separate to the GSKit-SSL package which is...

Security Bulletin: Multiple vulnerabilities in IBM DataPower Gateway

Summary While core IBM DataPower Gateway does not use Java, certain components shipped with IDG may be vulnerable. Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentialit...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is vulnerable to unspecified vulnerabilities and sensitive information exposure due to IBM Runtime Environment Java Technology Edition Version 8

Summary IBM Java 8 is used by IBM Sterling Connect:Direct for UNIX in product configuration, management, and data transmission. IBM Sterling Connect:Direct for UNIX is impacted by unspecified vulnerabilities and sensitive information exposure due to IBM Java 8. IBM Sterling Connect:Direct for UNI...

Security Bulletin: Security Vulnerability in IBM GSKit affects IBM Security Directory Server Container Products (CVE-2023-32342)

Summary A Security Vulnerability in IBM GSKit that ships with IBM Security Directory Server Container Products has been addressed in an update. Vulnerability Details CVEID:CVE-2023-32342 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a timing-based...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK (January 2024) affect IBM InfoSphere Information Server

Summary There are multiple vulnerabilities in the IBM® SDK Java™ Technology Edition, Version 8 that is used by IBM InfoSphere Information Server. These issues were disclosed as part of the IBM Java SDK updates in January 2024. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecified...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Installation Manager and IBM Packaging Utility

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 8 used by IBM Installation Manager and IBM Packaging Utility. The IBM Installation Manager and IBM Packaging Utility have addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM Java Runtime affect IBM® Db2®. (Jan 2024 CPU)

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 7.1.5.20 and earlier, 8.0.8.15 and earlier used by IBM® Db2®. These issues were disclosed as part of the IBM Java SDK updates in January 2024. Vulnerability Details CVEID:CVE-2024-20952 DESCRIPTION: An unspecifie...

Security Bulletin: IBM SDK, Java Technology Edition Quarterly CPU - Jan 2024 - Includes Oracle January 2024 CPU plus CVE-2023-33850

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 8 that are used by Maximo Asset Management, Maximo Industry Solutions including Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas and Maximo for Utilities a...

SUSE SLES15 / openSUSE 15 Security Update : java-1_8_0-ibm (SUSE-SU-2024:0619-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0619-1 advisory. - IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side chann...

Security Bulletin: Multiple vulnerabilities affect IBM® SDK, Java™ Technology Edition

Summary This bulletin covers all applicable Java SE CVEs published by Oracle as part of their January 2024 Critical Patch Update, plus CVE-2023-33850. For more information please refer to Oracle's January 2024 CPU Advisory and the X-Force database entries referenced below. Vulnerability Details...

Security Bulletin: IBM Sterling Transformation Extender is vulnerable to multiple issues due to Keycloak, Swagger UI, IBM GSKit, and Apache ActiveMQ

Summary IBM Sterling Transformation Extender uses Keycloak, Swagger UI, IBM GSKit, and Apache ActiveMQ. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2023-46604 DESCRIPTION: Apache ActiveMQ and ActiveMQ Legacy OpenWire Module could allo...

Security Bulletin: A vulnerability in the GSKit component of Content Manager Enterprise Edition (CVE-2016-0201)

Summary A vulnerability has been addressed in the GSKit component of Content Manager Enterprise Edition. Vulnerability Details CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a MD5 collision. An attacker could exploit this...

Security Bulletin: Vulnerabilities in GSKit affect Content Manager Enterprise Edition (CVE-2015-7421)

Summary Vulnerabilities were discovered in GSKit. Content Manager Enterprise Edition uses GSKit and addressed the applicable CVE. Vulnerability Details CVEID: CVE-2015-7421 DESCRIPTION: A vulnerability in GSKit could allow a remote attacker to obtain sensitive information. The internal ICC PRNG...

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure vulnerability due to the consumed GSKit library (CVE-2023-33850)

Summary IBM® Db2® is vulnerable to an information disclosure vulnerability due to the consumed GSKit library. Vulnerability Details CVEID:CVE-2023-33850 DESCRIPTION: IBM GSKit-Crypto could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA...

Security Bulletin: IBM Planning Analytics is affected by vulnerabilities in IBM Java, IBM Websphere Application Server Liberty and IBM GSKit

Summary There are vulnerabilities in IBM® Java™ Version 8, IBM WebSphere Application Server Liberty and IBM® Global Security Kit GSKit used by IBM Planning Analytics and IBM Planning Analytics Workspace. IBM Planning Analytics 2.0.9.19 and IBM Planning Analytics Workspace 2.0.91 have addressed th...

Security Bulletin: IBM® Db2® is vulnerable to an information disclosure vulnerability due to the consumed GSKit library (CVE-2023-32342)

Summary IBM® Db2® is vulnerable to an information disclosure vulnerability due to the consumed GSKit library. The fix for this issue was already published in an earlier bulletin. If you have already applied the appropriate Db2 special build or installed GSKit version 8.0.55.31, which contains the...