Security Bulletin: IBM Security Information Queue has overly permissive CORS policy (CVE-2020-4292)

Summary The cross-origin resource sharing CORS policy in IBM Security Information Queue ISIQ is too permissive. It allows all origins to access the ISIQ Web Server resources when such cross-domain accesses are unnecessary for ISIQ functionality. As of v1.0.5, ISIQ no longer permits cross-origin...

Security Bulletin: IBM Security Information Queue contains hard-coded credentials (CVE-2020-4283)

Summary IBM Security Information Queue ISIQ stores the JSON web token JWT secret in plain text in one of its YAML files. As of v1.0.5, ISIQ generates an encrypted JWT secret during product configuration. Vulnerability Details CVEID: CVE-2020-4283 DESCRIPTION: IBM Security Information Queue ISIQ...

systemd security and bug fix update

239-18.0.2.el81.4 - fix to generate systemd-pstore.service file Orabug: 30230056 - fix netdev is missing for iscsi entry in /etc/fstab [email protected] Orabug: 25897792 - set 'RemoveIPC=no' in logind.conf as default for OL7.2 Orabug: 22224874 - allow dm remove ioctl to co-operate with UEK3...

CVE-2018-10021

The code in the drivers/scsi/libsas/sasscsihost.c file in the Linux kernel allow a physically proximate attacker to cause a memory leak in the ATA command queue and, thus, denial of service by triggering certain failure conditions...

kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c

A flaw was found in the Linux kernel’s block driver implementation blkdrainqueue function where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem. An attacker could use this flaw to crash the system or corrupt local...

IBM MQ Input Validation Error Vulnerability (CNVD-2020-13051)

IBM MQ IBM WebSphere MQ is a messaging middleware product from IBM. The product is mainly for the service-oriented architecture SOA to provide a reliable and proven messaging backbone. An input validation error vulnerability exists in IBM MQ version 9.0 LTS, version 8.0 and IBM MQ Appliance versi...

Security Bulletin: IBM Sterling B2B Integrator has Cross Site Scripting vulnerabilities in Queue Watcher (CVE-2017-1496)

Summary IBM Sterling B2B Integrator Queue Watcher could allow a Cross Site Scripting attack Vulnerability Details CVEID: CVE-2017-1496 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript cod...

Security Bulletin: Information disclosure vulnerability affects IBM Sterling B2B Integrator (CVE-2015-7437)

Summary IBM Sterling B2B Integrator Queue Watcher displays sensitive information. Vulnerability Details CVEID: CVE-2015-7437 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition could allow a local user to obtain sensitive information via Queue Watcher. CVSS Base Score: 5.5 CVSS Temporal...

Cross-Site Scripting (XSS)

activemq-web-console is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript in a user's browser via the listing of queue contents in the admin GUI...

CVE-2019-4614

IBM MQ and IBM MQ Appliance 8.0 and 9.0 LTS client connecting to a Queue Manager could cause a SIGSEGV denial of service caused by converting an invalid message. IBM X-Force ID: 168639...

CVE-2012-4863

IBM WebSphere MQ 7.1 and 7.5: Queue manager has a DoS vulnerability...

Design/Logic Flaw

IBM WebSphere MQ 7.1 and 7.5: Queue manager has a DoS vulnerability...

CVE-2012-4863

IBM WebSphere MQ 7.1 and 7.5: Queue manager has a DoS vulnerability...

jenkins: Stored XSS vulnerability in queue item tooltip

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executor...

Security Bulletin: IBM Security Information Queue uses database components with known vulnerabilities (CVE-2016-3506, CVE-2018-1058, CVE-2018-10936, CVE-2019-9193)

Summary IBM Security Information Queue ISIQ relies on older Oracle JDBC and PostgreSQL JAR files that have known vulnerabilities. As of v1.0.5, ISIQ switched to newer, secure versions of the JAR files. Vulnerability Details CVEID: CVE-2016-3506 DESCRIPTION: Unspecified vulnerability in the JDBC...

kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c

A flaw was found in the Linux kernel’s block driver implementation blkdrainqueue function where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem. An attacker could use this flaw to crash the system or corrupt local...

kernel: Use-after-free in __blk_drain_queue() function in block/blk-core.c

A flaw was found in the Linux kernel’s block driver implementation blkdrainqueue function where a use-after-free condition could be triggered while draining the outstanding command queue in the systems block device subsystem. An attacker could use this flaw to crash the system or corrupt local...

jenkins: Stored XSS vulnerability in queue item tooltip

Jenkins 2.196 and earlier, LTS 2.176.3 and earlier did not escape the reason why a queue items is blcoked in tooltips, resulting in a stored XSS vulnerability exploitable by users able to control parts of the reason a queue item is blocked, such as label expressions not matching any idle executor...

UBUNTU-CVE-2019-18179

An issue was discovered in Open Ticket Request System OTRS 7.0.x through 7.0.12, and Community Edition 5.0.x through 5.0.38 and 6.0.x through 6.0.23. An attacker who is logged into OTRS as an agent is able to list tickets assigned to other agents, even tickets in a queue where the attacker doesn'...

kernel: local attacker can trigger multiple use-after-free conditions results in privilege escalation

A flaw was found in the way the Linux kernel's networking subsystem handled the write queue between TCP disconnection and re-connections. A local attacker could use this flaw to trigger multiple use-after-free conditions potentially escalating their privileges on the system...