35705 matches found
Security Bulletin: IBM Cloud Pak for Security includes components with multiple known vulnerabilities
Summary IBM Cloud Pak for Security includes components with known vulnerabilities. These have been updated in the latest release and vulnerabilities have been addressed. Please follow the instructions in the Remediation/Fixes section below to update to the latest version of Cloud Pak for Security...
Security Bulletin: IBM Spectrum Conductor is vulnerable to arbitrary code execution [CVE-2022-42889]
Summary Apache Commons Text is used by IBM Spectrum Conductor in Spark 3.0.1. This bulletin provides interim fixes which include Apache Commons Text 1.10.0 to fix arbitrary code execution in IBM Spectrum Conductor. CVE-2022-42889 Vulnerability Details CVEID:CVE-2022-42889 DESCRIPTION: Apache...
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2018-1656, CVE-2018-12539)
Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 used by IBM Tivoli System Automation Application Manager. These issues were disclosed as part of the IBM Java SDK updates in July 2018. Vulnerability Details CVEID: CVE-2018-1656 DESCRIPTION: The IBM Java...
Security Bulletin: IBM DataPower Gateway affected by vulnerability in Java (CVE-2022-21626)
Summary IBM has addressed the CVE, which potentially affects JDBC, IMS Callout and JMS components Vulnerability Details CVEID:CVE-2022-21626 DESCRIPTION: An unspecified vulnerability in Java SE related to the Security component could allow an unauthenticated attacker to cause a denial of service...
Security Bulletin: Vulnerability in Bind (CVE-2021-25219) affects Power HMC
Summary BIND is used by Power Hardware Management Console HMC. HMC has addressed the applicable CVE Vulnerability Details CVEID:CVE-2021-25219 DESCRIPTION: ISC BIND is vulnerable to a denial of service, caused by a flaw in response processing. By abusing a lame cache, an attacker could exploit th...
Security Bulletin: A CVE-2021-37714 vulnerability in jsoup affects IBM Process Designer in IBM Business Automation Workflow and IBM Business Process Manager
Summary A vulnerabilitiy exists in jsoup used by the desktop version of IBM Process Designer. IBM Process Designer has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2021-37714 DESCRIPTION: jsoup is vulnerable to a denial of service, caused by improper input validation. By sending ...
Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.5
Summary Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.5.5.5, IBM WebSphere Application Server Hypervisor 8.5.5.5 and IBM HTTP Server 8.5.5.5 Vulnerability Details CVEID:CVE-2015-0174APAR PI21072 DESCRIPTION: IBM WebSphere Application Server using SNM...
Security Bulletin: Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service.
Summary Java SE as used by IBM Cloud Pak For Security is vulnerable to information disclosure and denial of service. IBM has addressed the relevant vulnerabilities. Vulnerability Details CVEID:CVE-2021-35550 DESCRIPTION: An unspecified vulnerability in Java SE related to the JSSE component could...
Security Bulletin: Multiple security vulnerabilities found in open source code that is shipped with IBM Security Verify Governance, Identity Manager virtual appliance component
Summary IBM has found several open source vulnerabilites in the IBM Security Verify Governance, Identity Manager virtual appliance product, including Apache Log4j, which is used by IBM Security Verify Governance, Identity Manager virtual appliance component as part of its logging infrastructure...
Security Bulletin: IBM QRadar Network Packet Capture includes multiple vulnerable components.
Summary The product includes multiple vulnerable components e.g., framework libraries that may be identified and exploited with automated tools. IBM has addressed the relevant CVEs. Vulnerability Details CVEID: CVE-2018-25032 DESCRIPTION: Zlib is vulnerable to a denial of service, caused by a...
Security Bulletin: Vulnerability in OpenSSL affects IBM Watson Explorer (CVE-2022-0778)
Summary OpenSSL is used by IBM Watson Explorer OneWEX and Foundational Components. IBM Watson Explorer has addressed the applicable CVE CVE-2022-0778. Vulnerability Details CVEID: CVE-2022-0778 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw in the BNmodsqrt function...
Security Bulletin: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking.
Summary IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking. Vulnerability Details CVEID: CVE-2021-20515 DESCRIPTION: IBM Informix Dynamic Server is vulnerable to a stack based buffer overflow, caused by improper bounds checking. A local...
Security Bulletin: Critical Vulnerabilities in libraries used by libraries that IBM Spectrum discover is using (libraries of libraries)
Summary Vulnerabilities in libraries used by libraries in IBM Spectrum Discover allow to a remote attackers by conduct of methodes like phishing attacks or execution of arbitrary code to get sensitive information, overflow a buffer causing the application to crash, and other critical problems...
Security Bulletin: Multiple security vulnerabilities have been identified in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite
Summary There are vulnerabilities in IBM® WebSphere Application Server Liberty shipped with IBM Security Directory Suite. Vulnerability Details CVEID: CVE-2021-35517 DESCRIPTION: Apache Commons Compress is vulnerable to a denial of service, caused by an out of memory error when allocating large...
Security Bulletin: Log4j remote code execution vulnerability in Apache Solr and Logstash shipped with IBM Operations Analytics - Log Analysis (CVE-2021-44228)
Summary IBM Operations Analytics - Log Analysis is bundled with Apache-Solr and Logstash Third-party components which are affected by the "CVE-2021-44228" security vulnerability. Vulnerability Details CVEID: CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitra...
Security Bulletin: Vulnerability in Apache Log4j affects Netcool/Omnibus 8.1 (CVE-2021-44228)
Summary A vulnerability was identified within the Apache Log4j library that is used by Netcool/Omnibus 8.1. This vulnerability is only present when either of the 'Administrator GUI' or 'Operator GUI' features are installed. This vulnerability has been addressed. Vulnerability Details CVEID:...
Security Bulletin: Multiple vulnerabilities in IBM HTTP Server used by WebSphere Application Server
Summary There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server. This has been addressed. Vulnerability Details CVEID: CVE-2021-34798 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in httpd core. By...
Security Bulletin: Multiple vulnerabilities may affect IBM® SDK, Java™ Technology Edition
Summary Java SE issues disclosed in the Oracle July 2021 Critical Patch Update, minus CVE-2021-2341. CVE-2021-2341 will be covered in an additional bulletin. Vulnerability Details CVEID: CVE-2021-2388 DESCRIPTION: An unspecified vulnerability in Java SE related to the VM component could allow an...
Security Bulletin: Vulnerabilities in psutil, python, and Golang affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift
Summary Vulnerabilities in psutil, python and Golang Go may affect IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift. Vulnerability Details CVEID: CVE-2019-18874 DESCRIPTION: psutil is vulnerable to a denial of service, caused by a double free. By using...
Security Bulletin: Vulnerabilities CVE-2016-0736, CVE-2016-2161 and CVE-2016-8743 in IBM i HTTP Server
Summary HTTP Server is supported by IBM i. IBM i has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2016-0736 DESCRIPTION: Apache HTTPD could allow a remote attacker to obtain sensitive information, caused by an error in modsessioncrypto. By sending specially crafted data, a remo...
Security Bulletin: Java CVE-2015-2590
Summary An unspecified vulnerability related to the Libraries component has complete confidentiality impact, complete integrity impact, and complete availability impact and affects IBM i java. Vulnerability Details CVEID: CVE-2015-2590 DESCRIPTION: An unspecified vulnerability and Java SE Embedde...
Security Bulletin: Multiple vulnerabilities in Apache HTTP Server affect IBM Cognos Business Intelligence
Summary This bulletin addresses several security vulnerabilities in Apache HTTP Server that are fixed in IBM Cognos Business Intelligence. Vulnerability Details CVEID: CVE-2016-0736 DESCRIPTION: Apache HTTPD could allow a remote attacker to obtain sensitive information, caused by an error in...
Security Bulletin: Rational DOORS Web Access is affected by Apache Tomcat vulnerabilities
Summary Some versions of Rational DOORS Web Access are shipped with an Apache Tomcat application server that contains security vulnerabilities. Apache Tomcat has been updated to incorporate fixes for these vulnerabilities. Vulnerability Details CVEID: CVE-2018-1305 DESCRIPTION: Apache Tomcat coul...
Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics
Summary IBM® DB2® is shipped as a component of IBM PureData System for Operational Analytics. Information about security vulnerabilities affecting IBM DB2 have been published in a security bulletin. Vulnerability Details CVEID:CVE-2017-12973 DESCRIPTION: Connect2id Nimbus JOSE+JWT could provide...
Security Bulletin: IBM Planning Analytics Workspace is affected by vulnerabilities
Summary There are vulnerabilities in multiple Open Source Software OSS components consumed by IBM Planning Analytics Workspace. These issues have been addressed by upgrading or removing the vulnerable libraries. Additionally, two Malicious File Upload vulnerabilities have been addressed. Please...
Security Bulletin: IBM Cloud Pak for Network Automation 2.6.5 fixes multiple security vulnerabilities
Summary IBM Cloud Pak for Network Automation 2.6.5 fixes multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2002-0080 DESCRIPTION: rsync could allow a remote attacker to gain elevated privileges on the system. rsync fails to drop privileges for...
Security Bulletin: IBM® Engineering Requirements Management DOORS/DWA vulnerabilities addressed in 9.7.2.8
Summary Third party reported 'Stored XSS' and 'CSRF' issues, Apache Tomcat, Apache ActiveMQ, CKEditor, libcURL, xmlbeans, scala-library, json-smart, jna-platform, jackson-databind, commons-io, shiro-core, commons-net, snappy-java, xercesImpl are identified as vulnerable components with multiple...
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF001
Summary The following security vulnerabilities are addressed with IBM Process Mining 1.15.0 IF001 Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information, caused by the failure to strip the Proxy-Authorization...
Security Bulletin: Vulnerabilty in the .NET Core Framework may affect IBM Robotic Process Automation and could allow an attacker to remotely execute arbitrary code.
Summary There is a vulnerability in System.Drawing.Comman used by IBM Robotic Process Automation as part of the .NET Core framework. CVE-2021-24112. The vulnerability could allow an attacker to remotely execute arbitrary code. This bulletin identifies the security fixes to apply to address this...
Security Bulletin: IBM i Access Client Solutions is vulnerable to remote code execution and failing to secure passwords due to multiple vulnerabilities
Summary IBM i Access Client Solutions is vulnerable to remote code execution due to a flaw which fails to authenticate the origin of a serialized object CVE-2023-45185, and insecurely storing passwords by allowing the password encryption key to be retrieved CVE-2023-45184 or decoded using a brute...
Security Bulletin: IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap [CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115]
Summary IBM App Connect Enterprise is vulnerable to a remote attack and a denial of service due to Node.js modules protobuf.js, vm2 and word-wrap CVE-2023-36665, CVE-2023-37903, CVE-2023-37466 and CVE-2023-26115. The fix includes protobuf.js =7.2.4, word-wrap =1.2.5 and vm2 has been removed from...
Security Bulletin: Multiple security vulnerabilities affect IBM Robotic Process Automation
Summary Python, Apache Spark, Tensorflow and Traefik contain multiple vulnerabilities and are used by IBM Robotic Process Automation as part of Watson NLP CVE-2022-40898, CVE-2023-22946, CVE-2023-25658, CVE-2023-25659, CVE-2023-25660, CVE-2023-25661, CVE-2023-25662, CVE-2023-25663, CVE-2023-25664...
Security Bulletin: Apache Log4j Vulnerability affects Cloud Pak for Data (CVE-2021-44228)
Summary There is a vulnerability in the version of Apache Log4j that was included in Cloud Pak for Data. This issue has been addressed. Vulnerability Details CVEID:CVE-2021-44228 DESCRIPTION: Apache Log4j could allow a remote attacker to execute arbitrary code on the system, caused by the failure...
Security Bulletin: IBM Security Directory Integrator is affected by multiple security vulnerabilities
Summary IBM Security Directory Integrator has addressed several security issues in open source packages. Please apply the fix as detailed below. Vulnerability Details CVEID:CVE-2018-1270 DESCRIPTION: Pivotal Spring Framework could allow a remote attacker to execute arbitrary code on the system,...
Security Bulletin: IBM Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities
Summary IBM Cloud Pak for Network Automation 2.5.0 fixes multiple security vulnerabilities, listed in the CVEs below. Vulnerability Details CVEID:CVE-2023-31047 DESCRIPTION: Django could allow a remote attacker to bypass security restrictions. By sending a specially-crafted request, an attacker...
Security Bulletin: Open Source Dependency Vulnerability
Summary IBM Edge Application Manager 4.5 has resolved the vulnerability. Vulnerability Details CVEID:CVE-2018-14040 DESCRIPTION: Bootstrap is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the collapse data-parent attribute. A remote attacker could...
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2023-24998)
Summary IBM WebSphere Application Server is shipped as a component of Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixe...
Security Bulletin: CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard
Summary Multiple CVEs CVE-2022-27664, CVE-2022-21698, CVE-2021-43565 and CVE-2022-27191 may affect IBM CICS TX Standard. IBM CICS TX Standard has addressed the applicable CVEs. Relevant Go related packages have been upgraded. Vulnerability Details CVEID:CVE-2022-27664 DESCRIPTION: Golang Go is...
Security Bulletin: Vulnerability in Apache Struts affects SAN Volume Controller, Storwize family and FlashSystem V9000 products (CVE-2016-4461)
Summary A vulnerability in the Apache Struts component affects the Service Assistant GUI of SAN Volume Controller, Storwize family and FlashSystem V9000 products. The Command Line Interface is unaffected. Vulnerability Details CVEID: CVE-2016-4461 DESCRIPTION: Apache Struts could allow a remote...
Security Bulletin: IBM MQ for HP NonStop Server is affected by multiple OpenSSL vulnerabilities
Summary Multiple vulnerabilites have been identified in the OpenSSL conponent of IBM MQ for HPE NonStop Server. These are CVE-2022-4304 CVE-2023-0215 CVE-2023-0286. Vulnerability Details CVEID:CVE-2022-4304 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused...
Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to request smuggling in Go (CVE-2022-41721)
Summary Automation Assets in IBM Cloud Pak for Integration is vulnerable to request smuggling in Go with details below. Vulnerability Details CVEID:CVE-2022-41721 DESCRIPTION: Golang Go is vulnerable to HTTP request smuggling, caused by a flaw when using MaxBytesHandler. By sending a...
Security Bulletin: IBM QRadar SIEM is vulnerable to possible information disclosure [CVE-2023-22875]
Summary IBM QRadar SIEM copies certificate key files used for SSL/TLS in the QRadar web user interface to managed hosts in the deployment that do not require that key. The key remains within the QRadar deployment. However, if you allow users other than QRadar system administrators to access manag...
Security Bulletin: Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package(CVE-2022-26336)
Summary Apache POI is vulnerable to a denial of service, caused by an out of memory exception flaw in the HMEF package. By persuading a victim to open a specially-crafted TNEF file, a remote attacker could exploit this vulnerability to cause the server to crashCVE-2022-26336 Vulnerability Details...
Security Bulletin: IBM MQ is affected by FasterXML jackson-databind vulnerabilities (CVE-2022-42003, CVE-2022-42004)
Summary Multiple issues were identified with the Jackson library that is used within the IBM MQ Console to provide REST API functionality. Vulnerability Details CVEID:CVE-2022-42003 DESCRIPTION: FasterXML jackson-databind is vulnerable to a denial of service, caused by a lack of a check in the...
Security Bulletin: IBM Cloud Pak for Multicloud Management is vulnerable to denial of service attacks due to snakeYAML
Summary SnakeYAML is used by some components of IBM Cloud Pak for Multicloud Management and it is vulnerable to a denial of service attacks. CVE-2022-25857, CVE-2022-38751, CVE-2022-38752, CVE-2022-38749, CVE-2022-38750 Vulnerability Details CVEID:CVE-2022-25857 DESCRIPTION: Java package...
Security Bulletin: Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)
Summary IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore can be affected by vulnerabilities in Certifi, Setuptools and Python. Vulnerabilities include error with TurstCor's owenership of certificates and denial of service attacks, as described by the CVEs in the "Vulnerability...
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache Spark
Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Apache Spark. Vulnerability Details CVEID:CVE-2022-31777 DESCRIPTION: Apache Spark is vulnerable to cross-site scripting, caused by improper validation of user-supplied input in the log viewer. A...
Security Bulletin: IBM UrbanCode Release is affected by CVE-2022-42252
Summary IBM UrbanCode Release is affected by CVE-2022-42252 Vulnerability Details CVEID:CVE-2022-42252 DESCRIPTION: Apache Tomcat is vulnerable to HTTP request smuggling, caused by the failure to reject a request containing an invalid Content-Length header when configured to ignore invalid HTTP...
Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation for Multiplatforms - April 2021 CPU (CVE-2021-2163)
Summary There are multiple vulnerabilities in IBM SDK Java Technology Edition, Version 8 used by v4.1.0.4 to 4.1.0.7 of IBM Tivoli System Automation for Multiplatforms. These issues were disclosed as part of the IBM Java SDK updates in April 2021. Vulnerability Details Refer to the security...
Security Bulletin: IBM Security Guardium is affected by a PolicyKit vulnerability (CVE-2021-4034)
Summary IBM Security Guardium has fixed this vulnerability. Vulnerability Details CVEID:CVE-2021-4034 DESCRIPTION: Polkit could allow a local authenticated attacker to gain elevated privileges on the system, caused by incorrect handling of the argument vectors in the pkexec utility. By crafting...