Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to denial of service due to OpenSSL (CVE-2022-0778)

Summary OpenSSL is used by DataStage on Cloud Pak for Data as part of secure network communication. Vulnerability Details CVEID:CVE-2022-0778 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by a flaw in the BNmodsqrt function when parsing certificates. By using a specially-craft...

Security Bulletin: DataStage on Cloud Pak for Data is vulnerable to arbitrary code execution due to Apache Avro (CVE-2024-47561)

Summary Apache Avro is used by DataStage on Cloud Pak for Data as part of data serialization. Vulnerability Details CVEID:CVE-2024-47561 DESCRIPTION: Apache Avro could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in schema parsing in the Java SDK...

Security Bulletin: There is an Out-of-Bounds write vulnerability in MIT's Kerberos 5 that is shipped with IBM TXSeries for Multiplatforms (CVE-2025-24528).

Summary There is an Out-of-Bounds write vulnerability in MIT's Kerberos 5 that is shipped with IBM TXSeries for Multiplatforms CVE-2025-24528. MIT's Kerberos 5 is a network authentication protocol that is used by IBM TXSeries for Multiplatforms. An update to IBM TXSeries for Multiplatforms has be...

Security Bulletin: IBM WebSphere Application Server shipped with Jazz for Service Management (JazzSM) is vulnerable to server-side request forgery (CVE-2025-27907)

Summary IBM WebSphere Application Server shipped with Jazz for Service Management JazzSM is vulnerable to server-side request forgery. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affected Products| Versions ---|---...

Security Bulletin: Multiple Vulnerabilities in IBM API Connect

Summary Multiple vulnerabilities were addressed in IBM API Connect version 10.0.8.2-ifix1 Vulnerability Details CVEID:CVE-2025-1974 DESCRIPTION: A security issue was discovered in Kubernetes where under certain conditions, an unauthenticated attacker with access to the pod network can achieve...

Security Bulletin: Multiple vulnerabilities in IBM Rapid Infrastructure Automation

Summary Multiple vulnerabilities were addressed in IBM Rapid Infrastructure Automation v1.1.5 Vulnerability Details CVEID:CVE-2024-47875 DESCRIPTION: DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to nesting-based mXSS. This...

Security Bulletin: IBM Security Guardium is affected by multiple kernel vulnerabilities

Summary IBM Security Guardium has addressed these vulnerabilities in an update Vulnerability Details CVEID:CVE-2024-26669 DESCRIPTION: Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a chain template offload flaw in net/sched. By sending a...

Security Bulletin: IBM Engineering Lifecycle Management is vulnerable to Javascript Injection. (CVE-2021-29669)

Summary Summary guidance: IBM Engineering Lifecycle Management - IBM Jazz is vulnerable to Javascript Injection. This bulletin contains information regarding vulnerabilities and remediation actions. Vulnerability Details CVEID:CVE-2021-29669 DESCRIPTION: IBM Jazz Foundation is vulnerable to...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-9676)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in the cri-o component which a remote authenticated attacker could exploit to cause a denial of service condition. CVE-2024-9676 Vulnerability Details CVEID: CVE-2024-9676 Description: Podman, Buildah and CRI-O a...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a cri-o security vulnerability (CVE-2024-5154)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability found in the cri-o component which could allow an attacker to send a specially crafted URL request containing "dot dot" sequences /../ to read and write arbitrary files on the system. Vulnerability Details CVEID:...

Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities

Summary IBM Cloud Transformation Advisor has addressed multiple security vulnerabilities listed herein. Vulnerability Details CVEID:CVE-2023-49569 DESCRIPTION: go-git could allow a remote attacker to traverse directories on the system. By sending a specially crafted request using the ChrootOS...

Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation Fixes for April 2024.

Summary In addition to OS level package updates, multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation 21.0.3-IF032 and 23.0.2-IF004. Vulnerability Details CVEID:CVE-2024-22353 DESCRIPTION: IBM WebSphere Application Server Liberty 17.0.0.3 through 24.0.0.4 is...

Security Bulletin: IBM Security Verify Governance - Identity Manager has multiple vulnerabilities

Summary Multiple security vulnerabilities have been addressed in updates to IBM Security Verify Governance - Identity Manager software component and IBM Security Verify Governance - Identity Manager virtual appliance component. Vulnerability Details CVEID:CVE-2024-38809 DESCRIPTION: VMware Tanzu...

Security Bulletin: Order Management is subject to various OS vulnerabilites which could have allowed attacker various entry points into application.

Summary Order Management has updated the container OS version and remediated to the point of code freeze. This bulletin identifies the steps to take to address the vulnerabilities by updating to the very latest OS version. Vulnerability Details CVEID:CVE-2022-2923 DESCRIPTION: Vim is vulnerable t...

Security Bulletin: Several vulnerabilities affect Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.0

Summary Several vulnerabilities in Watson Machine Learning Accelerator on Cloud Pak for Data 5.0.0 have been fixed in Watson Machine Learning Accelerator on Cloud Pak for Data 5.0 latest refresh. Vulnerability Details CVEID:CVE-2024-3568 DESCRIPTION: Hugging Face Transformers could allow a remote...

Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a Kubernetes API server security vulnerability (CVE-2023-1260)

Summary Red Hat OpenShift on IBM Cloud is affected by a security vulnerability in the Kubernetes API server that may allow an authenticated user evade security context constraints SCCs admission restrictions, thereby gaining control of a privileged pod CVE-2023-1260. Vulnerability Details CVEID:...

Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related to Node.js

Summary Vulnerabilities in Node.js such as remote attacker bypass security restrictions may affect IBM Spectrum Control. Vulnerability Details CVEID:CVE-2023-30581 DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in...

Security Bulletin: IBM Safer Payments vulnerable to Denial Of Service Attacks (CVE-2020-4729)

Summary IBM Safer Payments can be crashed by sending specially crafted API calls. This vulnerability has been addressed. Vulnerability Details CVEID:CVE-2020-4729 DESCRIPTION: IBM Counter Fraud Management for Safer Payments could allow an authenticated attacker under special circumstances to send...

Security Bulletin: A security vulnerability has been identified in IBM HTTP Server shipped with IBM WebSphere Remote Server (CVE-2022-25690)

Summary IBM HTTP Server is shipped with IBM WebSphere Remote Server. Information about a security vulnerability affecting IBM HTTP Server has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and...

Security Bulletin: IBM Spectrum Protect Plus vulnerability discloses sensitive information due to unencrypted data in transit (CVE-2020-4497)

Summary IBM Spectrum Protect Plus does not encrypt data transfer between vSnap servers and application agents. This could allow an attacker to view senstive information in transit. Vulnerability Details CVEID:CVE-2020-4497 DESCRIPTION: IBM Spectrum Protect Plus discloses sensitive information due...

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

Summary IBM Security Guardium has fixed these vulnerabilities. Vulnerability Details CVEID:CVE-2021-39077 DESCRIPTION: IBM Security Guardium stores user credentials in plain clear text which can be read by a local privileged user. CVSS Base score: 4.4 CVSS Temporal Score: See:...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to information disclosure (CVE-2022-22442)

Summary An information disclosure vulnerability due to improper access controls was addressed in InfoSphere Information Server. Vulnerability Details CVEID:CVE-2022-22442 DESCRIPTION: IBM InfoSphere Information Server could allow an authenticated user to access information restricted to users wit...

Security Bulletin: IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to cross-site request forgery (CVE-2022-22493)

Summary IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to cross-site request forgery. This has been addressed. Vulnerability Details CVEID:CVE-2022-22493 DESCRIPTION: IBM WebSphere Automation for IBM Cloud Pak for Watson AIOps is vulnerable to cross-site request forgery...

Security Bulletin: IBM Robotic Process Automation is vulnerable to Clickjacking (CVE-2022-22503)

Summary IBM Robotic Process Automation could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks again...

Security Bulletin: IBM Common Cryptographic Architecture (CCA) is vulnerable to denial of service (CVE-2022-22423)

Summary Insufficient input validation in IBM Common Cryptographic Architecture CCA may affect Hardware Security Module HSM availability. An affected IBM 4767 or IBM 4769 HSM may be forced into a check-stop condition by specially-crafted requests from HSM users. Recovery from a check-stop conditio...

Security Bulletin: IBM Robotic Process Automation is vulnerable to exposure of Azure bot credentials (CVE-2022-22490)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to exposure of Azure bot credentials CVE-2022-22490 Vulnerability Details CVEID:CVE-2022-22490 DESCRIPTION: IBM Robotic Process Automation could allow a privileged user to obtain sensitive Azure bot credential information. CV...

Security Bulletin: IBM DataPower Gateway does not force a Gateway Peering password change

Summary The DataPower UI does not notify customers of any gateway-peering instance that uses the system default password. The UI will now warn if the password is not changed. Vulnerability Details CVEID:CVE-2022-31776 DESCRIPTION: IBM DataPower Gateway 10.0.2.0 through 10.0.4.0, 10.0.1.0 through...

Security Bulletin: IBM Robotic Process Automation is vulnerable to an information disclosure (CVE-2022-22334)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to an information disclosure CVE-2022-22334 Vulnerability Details CVEID:CVE-2022-22334 DESCRIPTION: IBM Robotic Process Automation could allow a user to access information from a tenant of which they should not have access...

Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of chatbot credentials (CVE-2022-33954))

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to disclosure of chatbot credentials CVE-2022-33954 Vulnerability Details CVEID:CVE-2022-33954 DESCRIPTION: IBM Robotic Process Automation could allow a user with psychical access to the system to obtain sensitive information...

Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected credential for users created via bulk upload (CVE-2022-33169)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected credential for users created via bulk upload CVE-2022-33169 Vulnerability Details CVEID:CVE-2022-33169 DESCRIPTION: IBM Robotic Process Automation is vulnerable to insufficiently protected...

Security Bulletin: IBM Robotic Process Automation is vulnerable to privilege escalation (CVE-2022-30616)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to privilege escalation CVE-2022-30616 Vulnerability Details CVEID:CVE-2022-30616 DESCRIPTION: IBM Robotic Process Automation could allow a privileged user to elevate their privilege to platform administrator through...

Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens CVE-2022-22412 Vulnerability Details CVEID:CVE-2022-22412 DESCRIPTION: IBM Robotic Process Automation could allow a user with access to the local host client machine to obtain a login...

Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936)

Summary IBM QRadar SIEM is vulnerable to information disclosure. IBM QRadar SIEM has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2021-38936 DESCRIPTION: IBM QRadar SIEM could disclose highly sensitive information to a privileged user. CVSS Base score: 4.9 CVSS Temporal Score: Se...

Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041

Summary The Common and TCPMultilineSyslog protocol components as used by IBM QRadar SIEM contain vulnerabilities which may allow for denial of service attacks. IBM has addressed the relevant CVE. Vulnerability Details CVEID:CVE-2021-39041 DESCRIPTION: IBM QRadar SIEM may be vulnerable to partial...

Security Bulletin: Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight

Summary There are multiple vulnerabilities in Liberty, IBM Runtime Environment Java Version 8.0, Dojo and OpenSSL used by IBM MessageGateway/ MessageSight Vulnerability Details CVEID:CVE-2022-21365 DESCRIPTION: An unspecified vulnerability in Java SE related to the ImageIO component could allow a...

Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information exposure (CVE-2022-22506)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information disclosure CVE-2022-22506 Vulnerability Details CVEID:CVE-2022-22506 DESCRIPTION: IBM Robotic Process Automation contains a vulnerability that could allow user ids may be exposed across tenants. CV...

Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) (CVE-2022-22345)

Summary IBM QRadar SIEM is vulnerable to cross site scripting XSS. IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2022-22320 DESCRIPTION: IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the...

Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in the challenge / response authentication mechanism used by IBM remote support may allow unauthorized access as credentials can be reused on the product's management GUI. Vulnerability Details CVEID:CVE-2021-38969 DESCRIPTION: IBM Spectrum Virtualize could allow an attack...

Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 )

Summary CVE-2021-39082 The provided UC Deploy Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages. Vulnerability Details...

Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001)

Summary WebSphere Application Server Liberty used by Rational Asset Analyzer is vulnerable to remote code execution due to Dojo. This has been addressed. Vulnerability Details CVEID:CVE-2021-23450 DESCRIPTION: Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a...

Security Bulletin: IBM DataPower Gateway may permit admin users to view and edit files that are not allowed to be read via RBM access rights (CVE-2022-22326)

Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-22326 DESCRIPTION: IBM MQ Appliance could allow unauthorized viewing of logs and files due to insufficient authorisation checks. CVSS Base score: 4 CVSS Temporal Score: See:...

Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties

Summary IBM Cognos Analytics Mobile is affected by security vulnerabilities. These have been addressed in IBM Cognos Analytics Mobile 1.1.14. Vulnerability Details CVEID:CVE-2021-39080 DESCRIPTION: Due to weak obfuscation, IBM Cognos Analytics Mobile for Android application prior to version 1.1.1...

Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Summary Cloud Pak for Security CP4S v1.8.1.0 and earlier uses packages that are vulnerable to several CVEs. These have been remediated in the latest product release. Please see below for CVE details and the Remediation section for upgrade instructions. Vulnerability Details CVEID:CVE-2015-8985...

Security Bulletin: Apache Log4j vulnerability (CVE-2021-4422) addressed in IBM Watson Machine Learning Accelerator

Summary Apache Log4j, which is used by and included with IBM Watson Machine Learning Accelerator , contains security vulnerability issue CVE-2021-44228. This bulletin provides mitigations for the Log4Shell vulnaribility CVE-2021-44228 by applying workaround steps to IBM Watson Machine Learning...

Security Bulletin: XSS vulnerability affects IBM Cloud Object Storage System (CVE-2021-39014)

Summary XSS vulnerability affects IBM Cloud Object Storage System CVE-2021-39014. This vulnerability has been addressed in the latest ClevOS releases. Vulnerability Details CVEID:CVE-2021-39014 DESCRIPTION: IBM Cloud Object System is vulnerable to stored cross-site scripting. This vulnerability...

Security Bulletin: Lucky 13 Attack Vulnerability in IBM Robotic Process Automation with Automation Anywhere - CVE-2021-29876

Summary The Lucky Thirteen attack is a crystallographic timing attack against implementations of the Transport Layer Security TLS protocol that use the CBC mode of operation. An attacker could perform man in the middle attacks to successfully obtain plain text from the secure channel. Vulnerabili...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to a Cross-Frame Scripting Exploit (CVE-2021-29827)

Summary A cross-frame scripting vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2021-29827 DESCRIPTION: IBM InfoSphere Information Server could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a...

Security Bulletin: Apache Tomcat Vulnerabilities Affect IBM Sterling B2B Integrator

Summary IBM Sterling B2B Integrator has addressed the security vulnerabilities. Vulnerability Details CVEID:CVE-2016-8735 DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially...

Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-29834

Summary Process Center Console in IBM Business Process Manager and IBM Business Automation Workflow is vulnerable to a Cross-Site Scripting attack. Vulnerability Details CVEID:CVE-2021-29834 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager is vulnerable to stored...

Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452)

Summary IBM Rational Build Forge version 8.0.x is affected by CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452 Vulnerability Details CVEID:CVE-2021-31618 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of...