Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in IBM Engineering Systems Design Rhapsody (Rhapsody)

Summary IBM Engineering Systems Design Rhapsody Rhapsody components, Knowledge Center and Test Conductor are impacted by the Apache Log4j vulnerability CVE-2021-44228. Customers are encouraged to take quick action to apply fix. Vulnerability Details CVEID:CVE-2021-44228 DESCRIPTION: Apache Log4j...

Download IBM Cognos Controller 10.4.2 IF16

Abstract IBM Cognos Controller is affected by a security vulnerability. Apache Log4j is used by IBM Cognos Controller as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j CVE-2021-45046 vulnerability. Please note that this update also addresses...

Security Bulletin: Vulnerability in Apache Tomcat affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in Apache Tomcat affects the product's management GUI, potentially allowing an attacker to cause a denial of service. The Command Line Interface is unaffected. Vulnerability Details CVEID:CVE-2021-42340 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, cause...

Security Bulletin: Apache Log4j Vulnerability Affects IBM Sterling Transformation Extender (CVE-2021-44228)

Summary IBM Sterling Transformation Extender is impacted by Log4j2 security vulnerability, CVE-2021-44228, where an attacker can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. Vulnerability Details...

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44228)

Summary Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the log4j library. Please see...

Security Bulletin: Vulnerabilities in GSKit affect IBM Personal Communications v6.0.x (CVE-2015-0138)

Summary GSKit is an IBM component that is used by IBM Personal Communications. The GSKit that is shipped with IBM Personal Communications 6.0.13 and before contains multiple security vulnerabilities including the “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability...

Security Bulletin: Security vulnerability in WebSphere Application Server shipped with Predictive Maintenance and Quality and Predictive Maintenance Insights On-Premises (CVE-2021-23450)

Summary IBM WebSphere Application Server is shipped with IBM Predictive Maintenance and Quality and Predictive Maintenance Insights On-Premises. IBM WebSphere Application Server is vulnerable to remote code execution due to Dojo CVE-2021-23450. Vulnerability Details Refer to the security bulletin...

Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect IBM WebSphere Application Server (CVE-2015-4000)

Summary The LogJam Attack on Diffie-Hellman ciphers CVE-2015-4000 may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition. The IBM HTTP Server used by WebSphere...

Security Bulletin: IBM Cognos Analytics: Apache Log4j vulnerabilities (CVE-2021-45105, CVE-2021-44832)

Summary IBM Cognos Analytics is affected by security vulnerabilities. Apache Log4j is used by IBM Cognos Analytics as part of its logging infrastructure. This bulletin addresses the exposure to the Apache Log4j vulnerabilities: CVE-2021-45105 and CVE-2021-44832. IBM Cognos Analytics has upgraded...

Security Bulletin: Python-requests is vulnerable to CVE-2023-32681 used in IBM Maximo Application Suite - Monitor Component

Summary IBM Maximo Application Suite - Monitor Component uses python-requests which is vulnerable to CVE-2023-32681. Vulnerability Details CVEID:CVE-2023-32681 DESCRIPTION: python-requests could allow a remote attacker to obtain sensitive information, caused by the leaking of Proxy-Authorization...

Security Bulletin: IBM MegaRAID Storage Manager is affected by a vulnerability in Log4j (CVE-2021-4104)

Summary The following vulnerability in Log4j has been addressed by IBM MegaRAID Storage Manager. This fix includes the removal of Log4j. Vulnerability Details CVEID: CVE-2021-4104 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the...

Security Bulletin: IBM Security Guardium is vulnerable to a remote code execution vulnerability in log4j2 component

Summary IBM Security Guardium has fixed this vulnerability Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against attacker controlled LDAP and other JNDI related endpoint...

Security Bulletin: Vulnerability in Apache Log4j may affect IBM Spectrum Protect Operations Center (CVE-2021-44832)

Summary A vulnerability in Apache Log4j could result in remote code execution. This vulnerability may affect the Help system in IBM Spectrum Protect Operations Center. The below fix packages include Apache Log4j 2.17.1. Vulnerability Details CVEID: CVE-2021-44832 DESCRIPTION: Apache Log4j could...

Security Bulletin: Apache Log4j (CVE-2021-44228) vulnerability in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) and IBM Security Guardium Key Lifecycle Manager

Summary WebSphere Application Server WAS is shipped as a component of IBM Security Guardium Key Lifecycle Manager GKLM. Information about the Apache Log4j vulnerability has been published in a security bulletin. Customers are encouraged to take quick action to update their systems. Vulnerability...

Security Bulletin: IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable by a remote code execution in Spring Framework (CVE-2022-22965)

Summary IBM Sterling Connect:Direct for UNIX is affected but not classified as vulnerable to a remote code execution in Spring Framework CVE-2022-22965 as it does not meet all of the following criteria: 1. JDK 9 or higher, 2. Apache Tomcat as the Servlet container, 3. Packaged as WAR in contrast ...

Security Bulletin: IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 may be affected by the log4j vulnerability (CVE-2021-44228)

Summary The IBM Security Access Manager 9.0.7.1 and IBM Security Verify Access 10.0.0.0 product ships the One-time Password component which embeds a vulnerable version of the log4j library. This has been fixed in the latest supported versions of the product. Customers should move up to the latest...

Security Bulletin: A vulnerability in IBM Java Runtime affects IBM SPSS Statistics

Summary There is a vulnerability in IBM® Runtime Environment Java™ Versions 7.0, 7.1, and 8.0 used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2020-27221 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow...

WebSphere Application Server and IBM HTTP Server Security Bulletin List

Question Is there a list that contains the security bulletins that apply to WebSphere Application Server and IBM HTTP Server? Answer The following table is provided to help you locate WebSphere Application Server and IBM HTTP Server security bulletins. These are listed numerically by CVE number n...

Security Bulletin: IBM Security Directory Integrator has upgraded log4j

Summary IBM Security Directory Integrator SDI has upgraded to log4j 2.17.1. Although SDI was technically not vulnerable to the issue described below because it did not use JMSAppender, as a matter of good software hygiene the product has upgraded to the current version of log4j. SDI uses log4j as...

Security Bulletin: IBM i Access Client Solutions is vulnerable to DLL hijacking when run on a Windows operating system (CVE-2022-40746)

Summary IBM i Access Client Solutions is vulnerable to DLL hijacking when certain features are run on a Windows operating system that leverage native code. IBM has addressed this CVE by providing a fix to IBM i Access Client Solutions as described in the remediation/fixes section. Vulnerability...

Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities

Summary IBM Data Risk Manager has addressed the following vulnerabilities: Vulnerability Details CVEID: CVE-2020-13871 DESCRIPTION: SQLite is vulnerable to a denial of service, caused by a use-after-free in resetAccumulator in select.c. By sending a specially crafted request, a remote attacker...

Security Bulletin: IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-44228 )

Summary IBM TRIRIGA Reporting a component of IBM TRIRIGA Application Platform is vulnerable to denial of service and arbitrary code execution due to Apache Log4j. Apache Log4j is used by IBM TRIRIGA Reporting as part of its logging infrastructure. This bulletin addresses this vulnerability by...

Security Bulletin: IBM Maximo Application Suite is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)

Summary Apache log4j 2 library is used by IBM Maximo Application Suite internal components. This bulletin provides remediation for the Apache log4j 2 vulnerability CVE-2021-44228 by applying a new Maximo Application suite fixpack. The fix includes Apache Log4j2 2.15.0. Vulnerability Details CVEID...

Security Bulletin: Vulnerability in FasterXML jackson-databind affects IBM Process Mining . CVE-2020-36518

Summary There is a vulnerability in FasterXML jackson-databind that could allow a denial of service. The code is used by IBM Process Mining. This bulletin identifies the security fixes to apply to address the vulnerability. Vulnerability Details CVEID:CVE-2020-36518 DESCRIPTION: FasterXML...

Security Bulletin: IBM QRadar SIEM is vulnerable to using components with Known Vulnerabilities

Summary The product includes vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2021-38919 DESCRIPTION: IBM QRadar SIEM in some senarios may reveal authorize...

Security Bulletin: Mutliple Vulnerabilities in Java Runtime affects IBM SPSS Statistics

Summary Multiple vulnerabilities in Java Runtime Environment Version 8.0 used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2021-35578 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could allow a...

Security Bulletin: A Vulnerability in Apache Log4j affects IBM LKS ART & Agent

Summary A socket server related vulnerability has been disclosed in Apache Log4j used by IBM LKS Administration and Reporting Tool ART and Agent. A remediation has been put in place. Vulnerability Details CVEID: CVE-2019-17571 DESCRIPTION: Apache Log4j could allow a remote attacker to execute...

Security Bulletin: IBM InfoSphere Information Server may be affected by vulnerabilities in Apache log4j 1.x version

Summary Apache Log4j 1.x vulnerabilities may impact IBM InfoSphere Information Server which uses Apache Log4j for logging. Vulnerability Details CVEID:CVE-2021-4104 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of...

Security Bulletin: AIX is vulnerable to a machine-in-the-middle attack (CVE-2023-48795), arbitrary command execution (CVE-2023-51385), and information disclosure (CVE-2023-51384) due to OpenSSH

Summary Vulnerabilities in AIX's OpenSSH could allow a remote attacker to launch a machine-in-the-middle attack CVE-2023-48795 and execute arbitrary commands CVE-2023-51385, and could allow a local authenticated attacker to obtain sensitive information CVE-2023-51384. OpenSSH is used by AIX for...

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-4104)

Summary Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This bulletin covers the vulnerability caused when using versions of log4j earlier than 2.0. This version of the library is used by...

Security Bulletin: Vulnerability in Apache Log4j affects IBM SPSS Analytic Server (CVE-2021-44228)

Summary There is a vulnerability in the version of Apache Log4j that was installed in IBM SPSS Analytic Server. This vulnerability has been addressed. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, cause...

Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is affected by a arbitrary code execution in OpenSSH server [CVE-2024-6387]

Summary IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data v4.8.5 is affected by arbitrary code execution in OpenSSH server, caused by a signal handler race condition CVE-2024-6387. Open SSH is a component of a glibc library that is included in our Speech Service Runtimes, but not...

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Summary Security vulnerabilities have been addressed in IBM Cognos Analytics 11.1.7 FP5. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.2.2. The following 3rd party components are used by IBM Cognos Analytics: Apache Axis is a Java based Web Services engine f...

Security Bulletin: Vulnerability in OpenSSH affects IBM Integrated Analytics System (Sailfish)[CVE-2023-38408]

Summary The OpenSSH package is used by IBM Integrated Analytics System. The IBM Integrated Analytics System has addressed the applicable CVE CVE-2023-38408. Vulnerability Details CVEID:CVE-2023-38408 DESCRIPTION: OpenSSH could allow a remote attacker to execute arbitrary code on the system, cause...

IBM Security Network Protection / IBM QRadar Network Security / XGS Technote Index

Question What Technotes exist for the IBM Security Network Protection / IBM QRadar Network Security XGS sensor? Answer The content below includes a list of all technical notes published under IBM Security Network Protection / IBM QRadar Network Security by category and sorted by popularity. Users...

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities

Summary Security vulnerabilities have been addressed in IBM Cognos Analytics 11.2.2. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.1.7 FP4 where applicable. Vulnerability Details CVEID: CVE-2021-29824 DESCRIPTION: IBM Cognos Analytics is vulnerable to...

Security Bulletin: Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776)

Summary A vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. Apache Struts is used in the Service Assistant GUI...

Security Bulletin: AIX is vulnerable to arbitrary command execution (CVE-2022-1292 and CVE-2022-2068) or an attacker may obtain sensitive information (CVE-2022-2097) due to OpenSSL

Summary A vulnerability in OpenSSL could allow a remote attacker to execute arbitrary commands CVE-2022-1292 and CVE-2022-2068 or obtain sensitive information CVE-2022-2097. OpenSSL is used by AIX as part of AIX's secure network communications. Vulnerability Details CVEID:CVE-2022-2097 DESCRIPTIO...

Security Bulletin: Vulnerabilities in IBM Java included with IBM Tivoli Monitoring

Summary Vulnerability in IBM® SDK Java™ Technology Edition that is shipped as part of multiple IBM Tivoli Monitoring ITM components. Vulnerability Details CVEID:CVE-2021-2161 DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated...

Security Bulletin: i2 Analyze, i2 Connect and Analyst's Notebook Premium are affected by the Log4j vulnerability (CVE-2021-44228)

Summary Log4j is used by i2 Analyze and i2 Connect for general purpose and application error logging. It is also used in Analyst's Notebook Premium when the chart store is deployed. This bulletin provides mitigation for the reported CVE-2021-44228 by providing configuration that addresses Log4j...

Security Bulletin: Security vulnerability in Apache log4j used by IBM Db2 used by IBM Security Verify Governance, Identity Manager software component (CVE-2021-44228)

Summary A vulnerability exists in Apache log4j, which affects IBM Db2, which in turn is used by IBM Security Verify Governance, Identity Manager software component. Information about the security vulnerability affecting IBM Db2 has been published in a security bulletin. Vulnerability Details Refe...

Security Bulletin: IBM Aspera Faspex 4.4.2 PL2 has addressed multiple vulnerabilities (CVE-2022-28330, CVE-2023-22868, CVE-2022-30556, CVE-2022-31813, CVE-2022-30522, CVE-2022-47986, CVE-2022-28615, CVE-2022-26377, CVE-2018-25032, CVE-2022-2068)

Summary This Security Bulletin addresses security vulnerabilities that have been remediated in IBM Aspera Faspex 4.4.2 PL2. Vulnerability Details CVEID:CVE-2022-28330 DESCRIPTION: Apache HTTP Server could allow a remote attacker to obtain sensitive information. An attacker could exploit this...

Security Bulletin: OpenSSH vulnerability affects IBM Spectrum Protect Plus (CVE-2020-15778)

Summary A vulnerability in OpenSSH may affect IBM Spectrum Protect Plus. Vulnerability Details CVEID: CVE-2020-15778 DESCRIPTION: OpenSSH could allow a remote attacker to execute arbitrary commands on the system, caused by improper input validation in the remote function in scp.c. By using backti...

Security Bulletin: Vulnerablity in Apache Log4j may affect IBM Tivoli Monitoring (CVE-2021-4104)

Summary The following security issue has been identified in components related to IBM Tivoli Monitoring ITM portal server and client. Vulnerability Details CVEID:CVE-2021-4104 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the...

Security Bulletin: A vulnerability in Apache Log4j affects some features of IBM® Db2® (CVE-2021-44832)

Summary The Apache Log4j open source library used by IBM® Db2® is affected by a vulnerability that could allow a remote attacker to execute arbitrary code on the system. This library is used by the Db2 Federation feature. The fix for the vulnerability is to update the log4j library to version...

Security Bulletin: A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager

Summary A security vulnerability in Node.js node-fetch module affects IBM Cloud Automation Manager. Vulnerability Details CVEID:CVE-2022-0235 DESCRIPTION: Node.js node-fetch could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw when fetching a remote url wi...

Security Bulletin: Security Vulnerabilities in IBM® Java SDK affect multiple IBM Rational products based on IBM Jazz technology

Summary There are multiple vulnerabilities in IBM® SDK Java Technology Edition, Version 1.7 and 1.8 that are used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management CLM, Rational DOORS Next Generation RDNG, Rational...

Security Bulletin: IBM Security Guardium is affected by a kernel vulnerability

Summary IBM Security Guardium has fixed this vulnerability Vulnerability Details CVEID: CVE-2020-10711 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by a NULL pointer dereference while receiving CIPSO packet with null category in the SELinux subsystem. By sending a...

Security Bulletin: IBM SDN for Virtual Environments is affected by a vulnerability in OpenSSL (CVE-2014-0224)

Summary A security vulnerability has been discovered in OpenSSL. Vulnerability Details CVE-ID: CVE-2014-0224 DESCRIPTION: An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle...

Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391)

Summary Elevation of privileges vulnerability in Flask and weaker than expected security in Python can affect IBM Spectrum Protect Plus Microsoft® File Systems backup and restore. Vulnerability Details CVEID: CVE-2021-33026 DESCRIPTION: Flask-Caching extension for Flask could allow a local...