418 matches found
Security Bulletin: IBM DataPower Gateway is vulnerable to denial of service due to Golang Go
Summary IBM DataPower Gateway is vulnerable to denial of service due to use of Golang Go in DataPower Operator and Prometheus Metrics . CVE-2024-24783 Vulnerability Details CVEID:CVE-2024-24783 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by a flaw in the crypto/x509 packag...
Security Bulletin: IBM DataPower Gateway vulnerable to DOS in OpenSSL (CVE-2024-0727)
Summary IBM has addressed the CVE. Vulnerability Details CVEID:CVE-2024-0727 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by improper input validation. By persuading a victim to open a specially crafted PKCS12 file, a remote attacker could exploit this vulnerability to cause...
Security Bulletin: IBM DataPower Gateway vulnerable to "Terrapin" attack in OpenSSH (CVE-2023-48795)
Summary By manipulating sequence numbers during SSH connection setup, a MITM attacker can delete negotiation messages without causing a MAC failure. To mitigate this vulnerability, IBM has removed the chacha20-poly1305 cipher and all etm HMACs from the default set of algorithms offered,...
Security Bulletin: IBM DataPower Gateway Virtual Edition affected by bypass vulnerability in Open VM Tools
Summary Exploitation of this flaw requires root access to the ESXi host. IBM has addressed the vulnerability. Vulnerability Details CVEID:CVE-2023-20867 DESCRIPTION: VMware Tools could allow a local authenticated attacker to bypass security restrictions, caused by the failure to authenticate...
Security Bulletin: Multiple vulnerabilities in IBM DataPower Gateway
Summary While core IBM DataPower Gateway does not use Java, certain components shipped with IDG may be vulnerable. Vulnerability Details CVEID:CVE-2023-22081 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow a remote attacker to cause no confidentialit...
Security Bulletin: IBM DataPower Gateway is vulnerable to Denial of Service due to use of Node.js
Summary NodeJS is used by IBM DataPower Gateway as part of the API-GWY management interface CVE-2024-22019 Vulnerability Details CVEID:CVE-2024-22019 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error when reading unprocessed HTTP request with unbounded chunk extension...
Security Bulletin: IBM DataPower affected by vulnerability in Go (CVE-2023-39326)
Summary This CVE may affect DataPower Operator or SNMP Exporter for Prometheus Vulnerability Details CVEID:CVE-2023-39326 DESCRIPTION: Golang Go could allow a remote attacker to obtain sensitive information, caused by a flaw in the net/http package. By sending a specially crafted HTTP request, an...
Security Bulletin: IBM DataPower Gateway vulnerable to unauthorized access in Redis
Summary Redis is used in gateway peering, B2B and rate-limiting. IBM has updated Redis to address the vulnerability. Vulnerability Details CVEID:CVE-2023-45145 DESCRIPTION: Redis could allow a local authenticated attacker to bypass security restrictions, caused by a race condition when a permissi...
Security Bulletin: IBM DataPower Gateway vulnerable to directory traversal issue
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-46177 DESCRIPTION: IBM MQ Appliance 9.3 LTS and 9.3 CD could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request to view arbitrary files on the system. IBM...
Security Bulletin: IBM DataPower Gateway potentially vulnerable to a denial of service (CVE-2023-4807)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-4807 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a state corruption flaw in the POLY1305 MAC message authentication code implementation, when running on newer X8664 processors supporting the AVX512-IFM...
Security Bulletin: IBM DataPower Gateway vulnerable to HTTP/2 "Rapid Reset" Denial of Service (CVE-2023-44487, CVE-2023-39325)
Summary IBM has addressed both CVEs. Vulnerability Details CVEID: CVE-2023-39325 DESCRIPTION: Golang Go is vulnerable to a denial of service, caused by an uncontrolled resource consumption flaw in the net/http and x/net/http2 packages. By sending specially crafted requests using HTTP/2 client, a...
Security Bulletin: IBM DataPower Gateway vulnerable to multiple issues in Node.js
Summary IBM has addressed the following CVEs that could affect the API Gateway Director, and in version 10.5. only the New UI Vulnerability Details CVEID:CVE-2023-30588 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By...
Security Bulletin: Timing side-channel in IBM DataPower Gateway (CVE-2023-32342)
Summary A timing side-channel is present in IBM GSKit. This potentially affects the following IBM DataPower Gateway services: ISAM/TAM, MQ and JMS Vulnerability Details CVEID:CVE-2023-32342 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive information, caused by a...
Security Bulletin: IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2023-2650)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-2650 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw when using OBJobj2txt directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit. By sendin...
Security Bulletin: Potential security bypass in IBM DataPower Gateway (CVE_2023-23920)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2023-23920 DESCRIPTION: Node.js could allow a remote authenticated attacker to bypass security restrictions, caused by improper access control. By sending a specially-crafted request using ICUDATA environment variable, an attacker...
Security Bulletin: IBM DataPower Gateway affected by multiple CVEs in OpenSSL
Summary IBM has addressed the CVEs Vulnerability Details CVEID:CVE-2022-4304 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a timing-based side channel in the RSA Decryption implementation. By sending an overly large number of trial messages for...
Security Bulletin: Potential denial of service in IBM DataPower Gateway (CVE-2022-25881)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-25881 DESCRIPTION: Node.js http-cache-semantics module is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw. By sending a specially-crafted regex input using request header values, ...
Security Bulletin: IBM DataPower Gateway potentially vulnerable to Denial of Service (CVE-2022-4450)
Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-4450 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a double-free error related to the improper handling of specific PEM data by the PEMreadbioex function. By sending specially crafted PEM files for...
Security Bulletin: IBM MQ Appliance is vulnerable to cross-site request forgery (CVE-2022-31773)
Summary IBM MQ Appliance has resolved a cross-site request forgery vulnerability. Vulnerability Details CVEID:CVE-2022-31773 DESCRIPTION: IBM DataPower Gateway V10CD, 10.0.1, and 2018.4.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthoriz...
Security Bulletin: IBM DataPower Gateway affected by vulnerability in Java (CVE-2022-21626)
Summary IBM has addressed the CVE, which potentially affects JDBC, IMS Callout and JMS components Vulnerability Details CVEID:CVE-2022-21626 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service...