Security Bulletin: Vulnerability in Flask and Python affects IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2021-33026, CVE-2022-0391)

Summary Elevation of privileges vulnerability in Flask and weaker than expected security in Python can affect IBM Spectrum Protect Plus Microsoft® File Systems backup and restore. Vulnerability Details CVEID: CVE-2021-33026 DESCRIPTION: Flask-Caching extension for Flask could allow a local...

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Control (CVE-2021-44228)

Summary A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This vulnerability may affect IBM Spectrum Control due to its use of Log4j for logging, tracing, alerting, and the local help documentation. Vulnerability Details CVEID: CVE-2021-44228...

Security Bulletin: Vulnerability of Newtonsoft.Json-12.0.1.22727.dll has afftected to .NET Agent

Summary .NET Agent is vulnerable to Newtonsoft.Json 12.0.1.22727.dll. This fix has upgraded Newtonsoft.Json from Newtonsoft.Json-12.0.1.22727.dll to Newtonsoft.Json.13.0.3 Vulnerability Details IBM X-Force ID: 234366 DESCRIPTION: Newtonsoft.Json is vulnerable to a denial of service, caused by...

Security Bulletin: Potential vulnerability in IBM HTTP Server (CVE-2016-8743)

Summary There is a potential response splitting attack vulnerability in IBM HTTP Server. The fix for CVE-2016-8743 supercedes CVE-2016-4975. Vulnerability Details CVEID: CVE-2016-8743 DESCRIPTION: Apache HTTPD is vulnerable to HTTP response splitting attacks, caused by improper validation of...

Security Bulletin: Log4jShell Vulnerability affects IBM SPSS Statistics Server (CVE-2021-44228)

Summary There is a vulnerability in the version of Log4j that is part of IBM SPSS Statistics Server. IBM SPSS Statistics Server has addressed this vulnerability. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the...

Security Bulletin: Apache Log4j vulnerability is affecting IBM Engineering Requirements Management DOORS

Summary There is a vulnerability in Apache Log4j CVE-2021-44228 that is affecting IBM Engineering Requirements Management DOORS. This only affects customer who install the knowledge center on their computer. The IBM Engineering Requirements Management DOORS Server Windows installer contains the...

Security Bulletin: Vulnerability in SSLv3 affects IBM Tivoli Access Manager for e-business (CVE-2014-3566)

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. This affects IBM Tivoli Access Manager for e-business components that use SSLv3 including WebSEAL and pdadmin. Vulnerability Details The following vulnerability...

Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Summary Cloud Pak for Security CP4S v1.8.1.0 and earlier uses packages that are vulnerable to several CVEs. These have been remediated in the latest product release. Please see below for CVE details and the Remediation section for upgrade instructions. Vulnerability Details CVEID:CVE-2015-8985...

Security Bulletin: A vulnerability in GSKit affects IBM Security Network Intrusion Prevention System (CVE-2015-1788)

Summary A security vulnerability has been discovered in GSKit used with IBM Security Network Intrusion Prevention System. Vulnerability Details CVE ID: CVE-2015-1788 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a...

Security Bulletin: Vulnerability in jetty-server-9.4.48.v20220622.jar affects IBM Integrated Analytics System (Sailfish) [CVE-2023-26048]

Summary The jetty-server-9.4.48.v20220622.jar package is used by IBM Integrated Analytics System . IBM Integrated Analytics System has addressed the applicable CVE CVE-2023-26048. Vulnerability Details CVEID: CVE-2023-26048 DESCRIPTION: Eclipse Jetty is vulnerable to a denial of service, caused b...

Security Bulletin: Vulnerability in BIND affects AIX (CVE-2021-25219)

Summary UPDATED Mar 16 See Change History - New iFixes Provided: There is a vulnerability in BIND that affects AIX. Vulnerability Details CVEID: CVE-2021-25219 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a flaw in response processing. By abusing a lame cache, an attacker...

Security Bulletin: PostgreSQL as used by IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-32028, CVE-2021-32027)

Summary PostgreSQL as used by IBM QRadar SIEM is vulnerable to information disclosure Vulnerability Details CVEID: CVE-2021-32028 DESCRIPTION: PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a memory disclosure vulnerability when using an INSERT …...

Security Bulletin: IBM App Connect Enterprise Certified Container operands may be vulnerable to denial of service due to CVE-2018-25032

Summary Zlib is part of the base OS modules in all operand images in IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container is not directly vulnerable under standard operations, but custom use of the images may be vulnerable to denial of service. This...

Security Bulletin: Vulnerability in Apache Log4j affects IBM Spectrum Scale (CVE-2021-44228)

Summary A vulnerability in Apache Log4j could allow an attacker to execute arbitrary code on the system. This library is used by the Graphical User Interface GUI of IBM Spectrum Scale for logging. This vulnerability may affect IBM Spectrum Scale. Vulnerability Details CVEID: CVE-2021-44228...

Security Bulletin: Samba vulnerability issue in IBM SONAS (CVE-2017-7494)

Summary IBM SONAS is shipped with Samba, for which a fix is available for security vulnerabilities. Vulnerability Details Samba is used in IBM SONAS to enable file management and authentication services for Microsoft Windows environments. CVEID: CVE-2017-7494 DESCRIPTION: Samba could allow a remo...

Security Bulletin: IBM Security Access Manager appliances are affected by kernel vulnerabilities

Summary The IBM Security Access Manager appliance has addressed the following vulnerabilities. Vulnerability Details CVEID: CVE-2016-9555 DESCRIPTION: Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds access error in sctpsfootb. By sending specially crafted data, a...

Security Bulletin: Vulnerability exists in Watson Explorer (CVE-2021-44228)

Summary Log4j is used by IBM Watson Explorer to log system events for diagnostics. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading Watson Explorer and thus addressing the exposure to the log4j vulnerability. Vulnerability Details CVEID: CVE-2021-44228...

Security Bulletin: IBM Cognos Command Center is affected by multiple vulnerabilities

Summary There are vulnerabilities in IBM® Runtime Environment Java™ Version 8 CVE-2022-21248, CVE-2022-21293, CVE-2022-21294, CVE-2022-21341, CVE-2021-35578, CVE-2021-35603, CVE-2021-35550 and Eclipse Openj9 CVE-2021-41035 used by IBM Cognos Command Center. IBM Cognos Command Center 10.2.4 Fix Pa...

Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900

Summary There is a vulnerability in Apache Struts which the IBM FlashSystem™ 840 and 900 are susceptible. An exploit of that vulnerability CVE-2018-11776 could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. Vulnerability Details CVEID...

Security Bulletin: Due to use of Apache Log4j, IBM WebSphere Application Server Patterns is vulnerable to arbitrary code execution (CVE-2021-44832) and denial of service (CVE-2021-45105)

Summary IBM WebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about the Apache Log4j security vulnerabilities CVE-2021-44832, CVE-2021-45105 affecting IBM WebSphere Application Server have been published in a separate security bulleti...

Security Bulletin: IBM Informix Dynamic Server is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-44228)

Summary There is a vulnerability in the Apache Log4j open source library used by IBM Informix Dynamic Server for IBM Informix HQ. Customers are encouraged to take action by applying the interim fix. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacke...

Security Bulletin: IBM Security Guardium Database Activity Monitor is affected by an SNMPD vulnerability

Summary IBM Security Guardium Database Activity Monitor has addressed the following vulnerability. Vulnerability Details CVEID: CVE-2002-0013 DESCRIPTION: Many vendor implementations of the Simple Network Management Protocol SNMP have multiple remote vulnerabilities caused by the improper handlin...

Security Bulletin: Log4j vulnerability CVE-2021-44228 affects IBM Cloud Pak for Data System 1.0

Summary Log4j is used by IBM Cloud Pak for Data System 1.0 in openshift-logging. This bulletin provides a remediation and mitigation for the reported Apache Log4j vulnerability, CVE-2021-44228. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to...

Security Bulletin: Security vulnerability in IBM Java SDK affect Rational Build Forge (CVE-2020-2654)

Summary IBM® SDK Java™ Technology Edition that is used by IBM Rational Build Forge has a security vulnerability. IBM Rational Build Forge has addressed the applicable CVE. Vulnerability Details CVEID: CVE-2020-2654 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE...

Security Bulletin: Lodash versions prior to 4.17.21 vulnerability in PowerHA System Mirror for AIX

Summary Lodash versions prior to 4.17.21 caused vulnerability in PowerHA System Mirror for AIX releases in service. Vulnerability Details CVEID: CVE-2021-23337 DESCRIPTION: Node.js lodash module could allow a remote authenticated attacker to execute arbitrary commands on the system, caused by a...

Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2022-34339, CVE-2021-3712, CVE-2021-3711, CVE-2021-4160, CVE-2021-29425, CVE-2021-3733, CVE-2021-3737, CVE-2022-0391, CVE-2021-43138, CVE-2022-24758)

Summary Security vulnerabilities have been addressed in IBM Cognos Analytics 11.1.7 FP6. These vulnerabilities have also been previously addressed in IBM Cognos Analytics 11.2.3. A vulnerability where user credentials are stored in plain cleartext in a log and could be read by an authenticated us...

Security Bulletin: A security vulnerability has been identified in in IBM Java SDK shipoped with IBM Tivoli Netcool Impact (CVE-2022-21299)

Summary There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 8 used by IBM Tivoli Netcool Impact. IBM Tivoli Netcool Impact has addressed the applicable CVE. This issue was disclosed in the Oracle January 2022 Critical Patch Update. Vulnerability Details CVEID: CVE-2022-21299...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager (CVE-2016-5573, CVE-2016-5597)

Summary IBM WebSphere Application Server WAS is shipped as a component of IBM Tivoli Federated Identity Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. Vulnerability Details Please consult the security...

Security Bulletin: Multiple vulnerabilities in moment.js affect IBM Maximo Asset Management and the IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-31129, CVE-2022-24785)

Summary There are multiple vulnerabilities in moment.js that are used by IBM Maximo Asset Management and the IBM Maximo Manage application in the IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2022-31129 DESCRIPTION: Moment is vulnerable to a denial of service, caused by inefficien...

Security Bulletin: IBM Sterling Connect:Direct for Microsoft Windows is vulnerable to remote code execution due to Apache Commons Text (CVE-2022-42889)

Summary There is a vulnerability in Apache Commons Text used by IBM Sterling Connect:Direct for Microsoft Windows. IBM Sterling Connect:Direct for Microsoft Windows has addressed the applicable CVE CVE-2022-42889. Vulnerability Details CVEID:CVE-2022-42889 DESCRIPTION: Apache Commons Text could...

Security Bulletin: An Unspecified Vulnerability in Java runtime affects IBM SPSS (CVE-2022-21496)

Summary There is a vulnerability in IBM® Runtime Environment Java™ Versions 8.0 used by IBM SPSS Statistics. IBM SPSS Statistics has addressed the vulnerability. Vulnerability Details CVEID: CVE-2022-21496 DESCRIPTION: An unspecified vulnerability in Java SE related to the JNDI component could...

Security Bulletin: IBM i2 Analyze and IBM i2 Analyst's Notebook Premium are affected by Apache Log4j Vulnerabilities (CVE-2021-45105 and CVE-2021-45046)

Summary Apache Log4j is used by IBM i2 Analyze for general purpose and application error logging. It is also used in IBM i2 Analyst's Notebook Premium when the chart store is deployed. This bulletin addresses the vulnerabilities for the reported CVE-2021-45105 and CVE-2021-45046. The below fix...

Security Bulletin: Vulnerability in IBM Java SDK and IBM Java Runtime affects Rational Business Developer

Summary There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 7 and 8 and IBM® Runtime Environment Java™ Version 7 and 8 used by Rational Business Developer. Rational Business Developer has provided a fix for the applicable CVE. This issue was disclosed as part of the IBM Java SD...

Security Bulletin: Vulnerability in SANNav Software used by IBM b-type SAN directors and switches.

Summary The Brocade SANnav Management Portal and Global View products do not directly use Log4j2, but other modules used by Brocade SANnav do call and contain Log4j2 code. Brocade SANnav does not expose direct access to these services. However, it is recommended to disable the vulnerable...

Security Bulletin: CVE-2020-2773 may affect IBM® SDK, Java™ Technology Edition

Summary CVE-2020-2773 was disclosed as part of the Oracle April 2020 Critical Patch Update. Vulnerability Details CVEID: CVE-2020-2773 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of servic...

Security Bulletin: Weak file permissions vulnerability affects IBM Tivoli Monitoring for Tivoli Storage Manager (CVE-2015-4927)

Summary Weak file permissions exist on several files after the installation of Tivoli Storage Manager Reporting and Monitoring in a Linux or AIX environment. This has the potential of privilege escalation by an attacker. Vulnerability Details CVEID: CVE-2015-4927 DESCRIPTION: The installation of...

Security Bulletin: Due to use of Expat IBM Tivoli Network Manager is vulnerable to arbitrary code execution (multiple vulnerabilities)

Summary Expat aka libexpat is used by IBM Tivoli Network Manager ITNM could allow a remote attacker to execute arbitrary code on the system, caused by an integer overflow in the XMLGetBuffer function. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute...

Security Bulletin: Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager (CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832)

Summary Multiple vulnerabilities in Apache Log4j affect the IBM WebSphere Application Server and IBM Security Guardium Key Lifecycle Manager CVE-2021-4104, CVE-2021-45046, CVE-2021-45105 and CVE-2021-44832. The fix addresses the vulnerability by removing Apache Log4j. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affects multiple IBM Rational products based on IBM Jazz technology (CVE-2015-0488, CVE-2015-0478, CVE-2015-2808, CVE-2015-1916, CVE-2015-0204, CVE-2015-2613, CVE-2015-2601, etc.)

Summary There are multiple vulnerabilities in IBM® SDK Java Technology Edition, Version 1.6 that is used by IBM Jazz Team Server affecting the following IBM Jazz Team Server based Applications: Collaborative Lifecycle Management CLM, Rational Requirements Composer RRC, Rational DOORS Next...

Security Bulletin: Vulnerability in Apache Log4j affects some features of IBM DB2 supported by IBM Security Verify Governance

Summary IBM DB2 is supported as an external component of IBM Security Verify Governance . Information about a Apache Log4j security vulnerability affecting IBM DB2 has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: Log4j as used in IBM® QRadar User Behavior Analytics application add on to IBM® QRadar SIEM is vulnerable to remote code execution (RCE) (CVE-2021-44228)

Summary Log4j is used by IBM® QRadar User Behavior Analytics application to log system events. This bulletin provides a remediation for the vulnerability, CVE-2021-44228 by upgrading IBM® QRadar User Behavior Analytics application add on to IBM® QRadar SIEM and thus addressing the exposure to the...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational DOORS Web Access

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Versions 7 and 8, which are used by IBM Rational DOORS Web Access. These issues were disclosed as part of the IBM Java SDK updates in October 2017. Vulnerability Details CVEID: CVE-2017-10356 DESCRIPTION: An unspecified...

Security Bulletin: IBM Data Replication Java SDK Update

Summary This bulletin covers common Java SDK vulnerability findings in the IBM Java SDK packaged with this offering. Vulnerability Details CVEID: CVE-2020-14782 DESCRIPTION: An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause...

Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management

Summary Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported vulnerability. Vulnerability Details CVEID: CVE-2020-14351 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a...

Security Bulletin: AIX is vulnerable to a denial of service due to libxml2 (CVE-2022-29824)

Summary UPDATED Dec 12 2022 Added iFixes for AIX 7.2 TL5 SP5 and VIOS 3.1.4.10: A vulnerability in libxml2 could allow a remote attacker to cause a denial of service CVE-2022-29824. AIX uses libxml2 as part of its XML parsing functions. Vulnerability Details CVEID:CVE-2022-29824 DESCRIPTION: GNOM...

Security Bulletin: IBM Tivoli Federated Identity Manager is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-4104,  CVE-2021-45046)

Summary IBM WebSphere Application Server is shipped with IBM Tivoli Federated Identity Manager. Information about security vulnerabilities CVE-2021-4104, CVE-2021-45046 affecting IBM WebSphere Application Server have been published in a security bulletin. Vulnerability Details Refer to the securi...

Security Bulletin: IBM Jazz for Service Management is vulnerable to a Apache Log4j vulnerability (CVE-2021-44832)

Summary Based on current information and analysis, IBM Jazz for Service Management does not use Apache log4j-core library which is vulnerable to CVE-2021-44832. However, IBM Jazz for Service Management may be impacted because the old version of Log4j-1.2-api and Log4j-api are used in the...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM Spectrum Protect Plus (CVE-2018-0735, CVE-2018-0734, CVE-2018-5407)

Summary OpenSSL vulnerabilities were discllossed by the OpenSSL Project in October and November of 2018. IBM Spectrum Protect Plus uses OpenSSL and has addressed the applicable CVEs. 20 February 2020 - Changed fixing level from 10.1.5 to 10.1.5 patch1. 21 February 2020 - Provided link to 10.1.5...

Security Bulletin: Apache Log4j Vulnerability Affects IBM Secure External Authentication Server (CVE-2021-44228)

Summary An Apache Log4j vulnerability allowing a remote attacker to execute arbitraty code on the system was addressed by IBM Secure External Authentication Server. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the...

Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server shipped with IBM Tivoli Netcool Performance Manager for Wireline(Deferred CVE-2020-2590 and CVE-2020-2601)

Summary There are vulnerabilities in IBM® SDK Java™ Technology Edition, Version that is used by Tivoli Netcool Performance Manager. This issues is disclosed as part of the IBM Java SDK updates for July 2020. Information about a security vulnerability affecting IBM WebSphere Application Server has...