342 matches found
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to a denial of service CVE-2023-43642
Summary snappy-java is used by the IBM Datapower Operations Dashboard as a compressor/decompressor for Java Vulnerability Details CVEID:CVE-2023-43642 DESCRIPTION: snappy-java is vulnerable to a denial of service, caused by missing upper bound check on chunk length. By sending a specially crafted...
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to denial of service CVE-2023-3635
Summary Okio GzipSource is used by the IBM Datapower Operations Dashboard in its IO infrastructure. Vulnerability Details CVEID:CVE-2023-3635 DESCRIPTION: Okio GzipSource is vulnerable to a denial of service, caused by unhandled exception. By sending a specially crafted gzip buffer, a remote...
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to a machine-in-the-middle attack CVE-2023-48795
Summary OpenSSH is used by the IBM Datapower Operations Dashboard for general remote services. Vulnerability Details CVEID:CVE-2023-48795 DESCRIPTION: OpenSSH is vulnerable to a machine-in-the-middle attack, caused by a flaw in the extension negotiation process in the SSH transport protocol when...
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to a denial of service [CVE-2023-34462]
Summary Netty is used by the IBM Datapower Operations Dashboard in its network protocol infrastructure. Vulnerability Details CVEID:CVE-2023-34462 DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake...
Security Bulletin: IBM Datapower Operations Dashboard to a denial of service caused by an unsafe deserialization flaw
Summary Apache Johnzon is used by the IBM Datapower Operations Dashboard in its JSON processing. Vulnerability Details CVEID:CVE-2023-33008 DESCRIPTION: Apache Johnzon is vulnerable to a denial of service, caused by an unsafe deserialization flaw in BigDecimal. By sending a specially crafted JSON...
Security Bulletin: IBM DataPower Gateway vulnerable to unauthorized access in Redis
Summary Redis is used in gateway peering, B2B and rate-limiting. IBM has updated Redis to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45145 DESCRIPTION: Redis could allow a local authenticated attacker to bypass security restrictions, caused by a race condition when a permissi...
Security Bulletin: IBM DataPower Gateway vulnerable to directory traversal issue
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-46177 DESCRIPTION: IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to view arbitrary files on the system. IBM...
Security Bulletin: IBM DataPower Gateway potentially vulnerable to a denial of service (CVE-2023-4807)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-4807 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a state corruption flaw in the POLY1305 MAC message authentication code implementation, when running on newer X8664 processors supporting the AVX512-IFM...
Security Bulletin: IBM DataPower Gateway vulnerable to HTTP/2 "Rapid Reset" Denial of Service (CVE-2023-44487, CVE-2023-39325)
Summary IBM has addressed both CVEs. Vulnerability Details CVEID: CVE-2023-39325 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a...
Security Bulletin: IBM DataPower Gateway vulnerable to multiple issues in Node.js
Summary IBM has addressed the following CVEs that could affect the API Gateway Director, and in version 10.5. only the New UI Vulnerability Details CVEID:CVE-2023-30588 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By...
Security Bulletin: Timing side-channel in IBM DataPower Gateway (CVE-2023-32342)
Summary A timing side-channel is present in IBM GSKit. This potentially affects the following IBM DataPower Gateway services: ISAM/TAM, MQ and JMS Vulnerability Details CVEID:CVE-2023-32342 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a...
Security Bulletin: IBM DataPower Gateway affected by multiple issues in JRE
Summary IBM has addressed the following CVEs, which potentially affect JDBC, IMS Callout and JMS components Vulnerability Details CVEID:CVE-2023-21930 DESCRIPTION: An unspecified vulnerability in Oracle Java SE, Oracle GraalVM Enterprise Edition related to the JSSE component could allow an...
Security Bulletin: IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2023-2650)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-2650 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sendin...
Security Bulletin: IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-4450 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEMreadbioex function. By sending specially crafted PEM files for...
Security Bulletin: IBM MQ Appliance is vulnerable to cross-site request forgery (CVE-2022-31773)
Summary IBM MQ Appliance has resolved a cross-site request forgery vulnerability. Vulnerability Details CVEID:CVE-2022-31773 DESCRIPTION: IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthoriz...
Security Bulletin: IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486)
Summary IBM has addressed the CVEs Vulnerability Details CVEID:CVE-2021-45485 DESCRIPTION: Linux Kernel could allow a local attacker to obtain sensitive information, caused by improperly consider attacks from many IPv6 source addresses in net/ipv6/outputcore.c in the IPv6 implementation. By sendi...
Security Bulletin: IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-21166 DESCRIPTION: Intel Processors could allow a local authenticated attacker to obtain sensitive information, caused by incomplete cleanup in specific special register write operations in the Memory Mapped I/O MMIO component...
Security Bulletin: UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2020-25705 DESCRIPTION: Linux Kernel could allow a remote attacker to bypass security restrictions, caused by a flaw in the way reply ICMP packets are limited. By sending a specially-crafted request, an attacker could exploit this...
CVE-2022-40228
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527...
CVE-2022-40228
IBM DataPower Gateway 10.0.3.0 through 10.0.4.0, 10.0.1.0 through 10.0.1.9, 2018.4.1.0 through 2018.4.1.22, and 10.5.0.0 through 10.5.0.2 does not invalidate session after a password change which could allow an authenticated user to impersonate another user on the system. IBM X-Force ID: 235527...