Security Bulletin: Due to use of QOS.CH logback, IBM Cloud Pak System is affected by server-side request forgery and arbitrary code execution

Summary Due to use of QOS.CH logback IBM Cloud Pak System is affected by server-side request forgery and arbitrary code execution CVE-2024-12801, CVE-2024-12798. Vulnerability Details CVEID:CVE-2024-12801 DESCRIPTION: Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version...

Security Bulletin: SSRF Vulnerability in QOS.CH Logback via Malicious DOCTYPE in XML Config (v0.1–1.3.14, 1.4.0–1.5.12)

Summary Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in X...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in QOS.CH logback [CVE-2024-12801]

Summary IBM Watson Speech Services Cartridge is vulnerable to a Server-Side Request Forgery in QOS.CH logback, caused by a flaw in the SaxEventRecorder CVE-2024-12801. QOS.CH logback is used by our Speech Microservices. This vulnerabilitiy has been addressed. Please read the details for remediati...

QOS.CH logback-core Expression Language Injection vulnerability

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious...

QOS.CH logback-core Server-Side Request Forgery vulnerability

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files...

CVE-2024-12801

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML...

CVE-2024-12798

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program...

QOS.CH logback-core Expression Language Injection vulnerability

ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core up to and including version 1.5.12 in Java applications allows attackers to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious...

QOS.CH logback-core Server-Side Request Forgery vulnerability

Server-Side Request Forgery SSRF in SaxEventRecorder by QOS.CH logback version 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files...

Security Bulletin: Vulnerability in QOS.CH reload4j affects watsonx.data

Summary QOS.CH reload4j could allow a remote attacker access to sensitive information or perform server-side attacks on watsonx.data. Vulnerability Details IBM X-Force ID: 294027 DESCRIPTION: QOS.CH reload4j allow a remote attacker to obtain sensitive information, caused by improper handling of X...

Security Bulletin: Vulnerability in QOS.ch Sarl Logback affects watsonx.data

Summary A serialization vulnerability in logback receiver component part of QOS.ch Sarl Logback allows an attacker to mount a Denial-Of-Service attack on watsonx.data by sending poisoned data. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2023-6378 DESCRIPTION: QOS.ch Sarl Logback...

Security Bulletin: Vulnerability in QOS.ch Sarl Logback affects watsonx.data

Summary A serialization vulnerability in logback receiver component part of QOS.ch Sarl Logback allows an attacker to mount a Denial-Of-Service attack to watsonx.data by sending poisoned data. Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of...

Security Bulletin: Multiple Vulnerabilities in IBM Operations Analytics Predictive Insights.

Summary Multiple vulnerabilities were addressed in IBM Operations Analytics Predictive Insights 1.3.6 iFix 8 Vulnerability Details CVEID:CVE-2022-46337 DESCRIPTION: Apache Derby could allow a remote attacker to bypass security restrictions, caused by a LDAP injection vulnerability in authenticato...

Security Bulletin: IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities

Summary There are multiple vulnerabilities in components of IBM i Modernization Engine for Lifecycle Integration as described in the Vulnerability Details section. QOS.ch Sarl Logback is vulnerable to a denial of service CVE-2023-6481, CVE-2023-6378. The Bouncy Castle Crypto Package For Java...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for February 2024.

Summary Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF030 and 23.0.2-IF002. Vulnerability Details CVEID:CVE-2023-2976 DESCRIPTION: Google Guava could allow a local authenticated attacker to obtain sensitive information, caused by a flaw with...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in QOS.ch Sarl Logback

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of QOS.ch Sarl Logback Vulnerability Details CVEID:CVE-2023-6481 DESCRIPTION: QOS.ch Sarl Logback is vulnerable to a denial of service, caused by a serialization flaw in the logback receiver component...

Security Bulletin: IBM Watson Assistant for IBM Cloud Pak for Data is vulnerable to QOS.ch Sarl Logback denial of service vulnerability ( CVE-2023-6378)

Summary Potential QOS.ch Sarl Logback denial of service vulnerability CVE-2023-6378 has been identified that may affect IBM Watson Assistant for IBM Cloud Pak for Data. The vulnerability have been addressed. Refer to details for additional information. Vulnerability Details CVEID:CVE-2023-6378...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.14.3 IF001

Summary The following security vulnerabilities are addressed with IBM Process Mining 1.14.3 IF001 Vulnerability Details CVEID:CVE-2023-46589 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by improper parsing of the HTTP trailer headers. By sending a specially crafted...

Security Bulletin: IBM Automation Decision Services January 2024 - Multiple CVEs addressed

Summary IBM Automation Decision Services is vulnerable to denial of service attacks in third party and open source used in the product for various functions. See full list below. This vulnerability has been addressed. Vulnerability Details CVEID:CVE-2023-6378 DESCRIPTION: QOS.ch Sarl Logback is...

Security Bulletin: IBM Observability with Instana is affected by Multiple Security Vulnerabilities

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana build 265. Vulnerability Details CVEID:CVE-2023-20861 DESCRIPTION: VMware Tanzu Spring Framework is vulnerable to a denial of service. By sending a specially crafted SpEL expression, a remote attacker could exploit...