Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens (CVE-2022-22412)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to insufficiently protected access tokens CVE-2022-22412 Vulnerability Details CVEID:CVE-2022-22412 DESCRIPTION: IBM Robotic Process Automation could allow a user with access to the local host client machine to obtain a login...

Security Bulletin: IBM QRadar SIEM is vulnerable to information disclosure (CVE-2021-38936)

Summary IBM QRadar SIEM is vulnerable to information disclosure. IBM QRadar SIEM has addressed the applicable CVE. Vulnerability Details CVEID:CVE-2021-38936 DESCRIPTION: IBM QRadar SIEM could disclose highly sensitive information to a privileged user. CVSS Base score: 4.9 CVSS Temporal Score: Se...

Security Bulletin: IBM QRadar SIEM is vulnerable to denial of service attack due to CVE-2021-39041

Summary The Common and TCPMultilineSyslog protocol components as used by IBM QRadar SIEM contain vulnerabilities which may allow for denial of service attacks. IBM has addressed the relevant CVE. Vulnerability Details CVEID:CVE-2021-39041 DESCRIPTION: IBM QRadar SIEM may be vulnerable to partial...

Security Bulletin: Multiple vulnerabilities in multiple dependencies affect IBM MessageGateway/ MessageSight

Summary There are multiple vulnerabilities in Liberty, IBM Runtime Environment Java Version 8.0, Dojo and OpenSSL used by IBM MessageGateway/ MessageSight Vulnerability Details CVEID:CVE-2022-21365 DESCRIPTION: An unspecified vulnerability in Java SE related to the ImageIO component could allow a...

Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information exposure (CVE-2022-22506)

Summary Security Bulletin: IBM Robotic Process Automation is vulnerable to cross tenant information disclosure CVE-2022-22506 Vulnerability Details CVEID:CVE-2022-22506 DESCRIPTION: IBM Robotic Process Automation contains a vulnerability that could allow user ids may be exposed across tenants. CV...

Security Bulletin: IBM QRadar SIEM is vulnerable to cross-site scripting (XSS) (CVE-2022-22345)

Summary IBM QRadar SIEM is vulnerable to cross site scripting XSS. IBM QRadar SIEM has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2022-22320 DESCRIPTION: IBM QRadar is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the...

Security Bulletin: Vulnerability in remote support authentication affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products

Summary A vulnerability in the challenge / response authentication mechanism used by IBM remote support may allow unauthorized access as credentials can be reused on the product's management GUI. Vulnerability Details CVEID:CVE-2021-38969 DESCRIPTION: IBM Spectrum Virtualize could allow an attack...

Security Bulletin: UC Deploy Container images may contain non-unique https certificates and database encryption key. (CVE-2021-39082 )

Summary CVE-2021-39082 The provided UC Deploy Container images contain non-unique HTTPS certificates and a database encryption key. The fix provides directions and tools to replace the non-unique keys and certificates. This does not affect the standard installer packages. Vulnerability Details...

Security Bulletin: Rational Asset Analyzer is affected by two WebSphere Application Server vulnerabilities. (CVE-2021-23450, CVE-1999-0001)

Summary WebSphere Application Server Liberty used by Rational Asset Analyzer is vulnerable to remote code execution due to Dojo. This has been addressed. Vulnerability Details CVEID:CVE-2021-23450 DESCRIPTION: Dojo could allow a remote attacker to execute arbitrary code on the system, caused by a...

Security Bulletin: IBM DataPower Gateway may permit admin users to view and edit files that are not allowed to be read via RBM access rights (CVE-2022-22326)

Summary IBM has addressed the CVE Vulnerability Details CVEID:CVE-2022-22326 DESCRIPTION: IBM MQ Appliance could allow unauthorized viewing of logs and files due to insufficient authorisation checks. CVSS Base score: 4 CVSS Temporal Score: See:...

Security Bulletin: IBM Cognos Analytics Mobile is affected by security vulnerabilties

Summary IBM Cognos Analytics Mobile is affected by security vulnerabilities. These have been addressed in IBM Cognos Analytics Mobile 1.1.14. Vulnerability Details CVEID:CVE-2021-39080 DESCRIPTION: Due to weak obfuscation, IBM Cognos Analytics Mobile for Android application prior to version 1.1.1...

Security Bulletin: Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Summary Cloud Pak for Security CP4S v1.8.1.0 and earlier uses packages that are vulnerable to several CVEs. These have been remediated in the latest product release. Please see below for CVE details and the Remediation section for upgrade instructions. Vulnerability Details CVEID:CVE-2015-8985...

Security Bulletin: Apache Log4j vulnerability (CVE-2021-4422) addressed in IBM Watson Machine Learning Accelerator

Summary Apache Log4j, which is used by and included with IBM Watson Machine Learning Accelerator , contains security vulnerability issue CVE-2021-44228. This bulletin provides mitigations for the Log4Shell vulnaribility CVE-2021-44228 by applying workaround steps to IBM Watson Machine Learning...

Security Bulletin: XSS vulnerability affects IBM Cloud Object Storage System (CVE-2021-39014)

Summary XSS vulnerability affects IBM Cloud Object Storage System CVE-2021-39014. This vulnerability has been addressed in the latest ClevOS releases. Vulnerability Details CVEID:CVE-2021-39014 DESCRIPTION: IBM Cloud Object System is vulnerable to stored cross-site scripting. This vulnerability...

Security Bulletin: Lucky 13 Attack Vulnerability in IBM Robotic Process Automation with Automation Anywhere - CVE-2021-29876

Summary The Lucky Thirteen attack is a crystallographic timing attack against implementations of the Transport Layer Security TLS protocol that use the CBC mode of operation. An attacker could perform man in the middle attacks to successfully obtain plain text from the secure channel. Vulnerabili...

Security Bulletin: IBM InfoSphere Information Server is vulnerable to a Cross-Frame Scripting Exploit (CVE-2021-29827)

Summary A cross-frame scripting vulnerability in IBM InfoSphere Information Server was addressed. Vulnerability Details CVEID:CVE-2021-29827 DESCRIPTION: IBM InfoSphere Information Server could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a...

Security Bulletin: Apache Tomcat Vulnerabilities Affect IBM Sterling B2B Integrator

Summary IBM Sterling B2B Integrator has addressed the security vulnerabilities. Vulnerability Details CVEID:CVE-2016-8735 DESCRIPTION: Apache Tomcat could allow a remote attacker to execute arbitrary code on the system, caused by an error in the JmxRemoteLifecycleListener. By sending specially...

Security Bulletin: Cross-Site Scripting vulnerability affect IBM Business Automation Workflow and IBM Business Process Manager (BPM) - CVE-2021-29834

Summary Process Center Console in IBM Business Process Manager and IBM Business Automation Workflow is vulnerable to a Cross-Site Scripting attack. Vulnerability Details CVEID:CVE-2021-29834 DESCRIPTION: IBM Business Automation Workflow and IBM Business Process Manager is vulnerable to stored...

Security Bulletin: IBM Rational Build Forge 8.0.x is affected by Apache HTTP Server version used in it. (CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452)

Summary IBM Rational Build Forge version 8.0.x is affected by CVE-2021-31618, CVE-2020-13950, CVE-2019-17567, CVE-2020-26691, CVE-2021-26690, CVE-2020-13938, CVE-2021-30641, CVE-2020-35452 Vulnerability Details CVEID:CVE-2021-31618 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of...

Security Bulletin: Multiple Vulnerabilities in Apache Commons Compress affect IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications (CVE-2021-33517, CVE-2021-36090)

Summary Multiple Vulnerabilities in Apache Commons Compress affect IBM WebSphere Application Server Liberty, which is bundled with IBM Cloud Pak for Applications CVE-2021-33517, CVE-2021-36090 Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...

Security Bulletin: A mitigation is being announced to address CVE-2021-29789

Summary IBM products 8335-GTC, 8335-GTG, 8335-GTH, 8335-GTW, and 8335-GTX have identified a security vulnerability. BMC field mode is normally enabled but may not be enabled on systems which have had their BMC replaced. Vulnerability Details CVEID: CVE-2021-29789 Description: IBM BMCs could have...

Security Bulletin: A vulnerability in IBM Spectrum Scale could allow a local attacker to bypass the filesystem audit logging (CVE-2021-29671)

Summary A security vulnerability has been identified in IBM Spectrum Scale FAL that could allow a local attacker to bypass the FAL mechanism. A fix for this vulnerability is available. Vulnerability Details CVEID:CVE-2021-29671 DESCRIPTION: IBM Spectrum Scale could allow a local attacker to bypas...

Security Bulletin: A security vulnerability has been identified in IBM Jazz for Service Management shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2020-4939)

Summary IBM Jazz for Service Management JazzSM is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting JazzSM has been published in a security bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: IBM FileNet Content Manager GraphQL Cross-site request forgery security vulnerability

Summary IBM FileNet Content Manager in GraphQL, there is a Cross-site request forgery security vulnerability. Vulnerability Details CVEID:CVE-2020-4745 DESCRIPTION: IBM FileNet Content Manager is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and...

Security Bulletin: IBM Security Verify Information Queue displays the Grafana signing key when setting up the logs stack (CVE-2021-20412)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. Among the stack's components is a Grafana dashboard. The initialization file for Grafana contains a hard-coded signing key. As of ISIQ v10.0.0, this signing key has been removed...

Security Bulletin: IBM Security Verify Information Queue does not sufficiently safeguard session IDs from session fixation attacks (CVE-2021-20411)

Summary The web server in IBM Security Verify Information Queue ISIQ does not always update the session identifier when a new user logs in. This could allow a session fixation attack in which a previously used session identifier gets commandeered by an impersonator. As of v10.0.0, ISIQ now...

Security Bulletin: IBM Security Verify Information Queue does not hide the InfluxDB credentials when setting up the logs stack (CVE-2021-20410)

Summary IBM Security Verify Information Queue ISIQ offers an optional logs stack to demonstrate logging and monitoring. The logs stack YAML file has parameters for defining an InfluxDB instance. The parameters include the InfluxDB user and password credentials. As of ISIQ v10.0.0, these credentia...

Security Bulletin: IBM Security Verify Information Queue does not always enable HTTP Strict Transport Security when sending error responses (CVE-2021-20409)

Summary The web server in IBM Security Verify Information Queue ISIQ does not add the HTTP Strict Transport Security header in its internally generated error responses. Consequently, a remote attacker could obtain sensitive information from an insecure HTTP connection. As of v10.0.0, ISIQ is...

Security Bulletin: IBM Security Verify Information Queue does not sufficiently protect the key that encrypts and decrypts product credentials (CVE-2021-20408)

Summary The key used by IBM Security Verify Information Queue ISIQ to encrypt and decrypt product credentials is stored in an ISIQ configuration file. To prevent unauthorized product access, this key should be better protected. As of v10.0.0, ISIQ is now using a separate Vault service to handle a...

Security Bulletin: IBM Security Verify Information Queue discloses sensitive information in source code (CVE-2021-20407)

Summary The source code for a Node.js package used by IBM Security Verify Information Queue ISIQ includes the email address of one of the developers of the package. As of v10.0.0, ISIQ is now hiding this sensitive information. Vulnerability Details CVEID:CVE-2021-20407 DESCRIPTION: IBM Security...

Security Bulletin: IBM Security Verify Information Queue uses a relatively weak cryptographic algorithm to protect application data (CVE-2021-20406)

Summary The cryptographic algorithm that IBM Security Verify Information Queue ISIQ uses to encrypt and decrypt application data has a JSON web token JWT signing key that is shorter than the recommended length. As of v10.0.0, ISIQ has doubled the length of its JWT signing key to be in compliance...

Security Bulletin: IBM Planning Analytics has addressed a security vulnerability (CVE-2020-4764)

Summary This Security Bulletin addresses a security vulnerability that has been remediated in IBM Planning Analytics 2.0.9.4 Vulnerability Details CVEID:CVE-2020-4764 DESCRIPTION: IBM Planning Analytics is vulnerable to cross-site request forgery which could allow an attacker to execute malicious...

Security Bulletin: IBM Predictive Maintenance and Quality (PMQ) UI: Missing Secure Attribute in Encrypted Session (SSL) Cookie (CVE-2020-4423)

Summary PMQ UI web application sends non-secure cookies over SSL. It may be possible to steal user and session information cookies that was sent during an encrypted session. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Version...

Security Bulletin: CVE-2018-10886 ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory.

Summary ant before version 1.9.12 unzip and untar targets allows the extraction of files outside the target directory. A crafted zip or tar file submitted to an Ant build could create or overwrite arbitrary files with the privileges of the user running Ant. Vulnerability Details...

Security Bulletin:IBM TRIRIGA Application Platform may be be afftected by known vulnerabilities in db2jcc4.jar (CVE-2007-2582)

Summary IBM TRIRIGA Application may be vulnerable to mutiple buffer overflows in DB2 Vulnerability Details CVEID:CVE-2007-2582 DESCRIPTION: Multiple buffer overflows in the DB2 JDBC Applet Server DB2JDS service in IBM DB2 9.x and earlier allow remote attackers to 1 execute arbitrary code via a...

Security Bulletin: IBM OpenPages with Watson has addressed a Cross-Site Scripting (XSS) vulnerability (CVE-2020-4443)

Summary IBM OpenPages with Watson has addressed a Cross-Site Scripting XSS vulnerability CVE-2020-4443 Vulnerability Details CVEID:CVE-2020-4443 DESCRIPTION: IBM OpenPages with Watson is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the...

Security Bulletin: IBM OpenPages with Watson has addressed a reverse tabnabbing vulnerability (CVE-2020-4440)

Summary IBM OpenPages with Watson has addressed a reverse tabnabbing vulnerability CVE-2020-4440 Vulnerability Details CVEID:CVE-2020-4440 DESCRIPTION: IBM OpenPages with Watson could allow an authenticated user to replace a target page with a phishing site which could allow the attacker to obtai...

Security Bulletin: Trusteer Pinpoint affected by security vulnerability CVE-2020-4708

Summary Trusteer Pinpoint has addressed the issue. Vulnerability Details CVEID:CVE-2020-4708 DESCRIPTION: IBM Trusteer Pinpoint could disclose some information due to using a wildcard in the Access-Control-Allow-Origin header. CVSS Base score: 3.7 CVSS Temporal Score: See:...

Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps

Summary Multiple vulnerabilities were addressed in IBM Cloud Pak for AIOps version 4.5.1 Vulnerability Details CVEID:CVE-2021-3538 DESCRIPTION: go.uuid could allow a remote attacker to obtain sensitive information, caused by the use of insecure randomness in the g.rand.Read function. By utilize...

Security Bulletin: IBM Verify Gateway does not sufficiently guard against unauthorized API calls (CVE-2020-4847)

Summary When the IBM Verify Gateway IVG components make API calls, there is insufficient protection of tenant secrets. It's possible for an attacker to obtain the access token belonging to another tenant and issue an API while impersonating that tenant. As of v1.0.1 of IVG for RADIUS and IVG for...

Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability.

Summary IBM has announced a release for IBM Security Identity Governance and Intelligence IGI in response to security vulnerability. Hard coded credentials have been removed from the IBM Security Directory Integrator version used by IBM Security Identity Governance and Intelligence. Vulnerability...

Security Bulletin: Potential Oracle Outside In Technology Vulnerabilities Exposed in ECM Products (CVE-2011-2264, CVE-2011-0794, and CVE-2011-0808)

Question Oracle Outside In Technology contains exploitable vulnerabilities in the CorelDRAW CVE-2011-2264 file parser, the File ID SDK CVE-2011-0794, and file filters CVE-2011-0808. Each of these vulnerabilities may allow a remote, unauthenticated user to execute arbitrary code on a vulnerable...

Security Bulletin: Multiple security vulnerabilities have been identified in IBM® DB2® shipped with IBM PureData System for Operational Analytics

Summary IBM® DB2® is shipped as a component of IBM PureData System for Operational Analytics. Information about security vulnerabilities affecting IBM DB2 have been published in a security bulletin. Vulnerability Details CVEID:CVE-2017-12973 DESCRIPTION: Connect2id Nimbus JOSE+JWT could provide...

Security Bulletin: IBM Workload scheduler vulnerable to CVE-2019-4608 and CVE-2020-5028

Summary IBM Tivoli Dynamic Workload Console is potentially vulnerable to cross-site scripting. Vulnerability Details CVEID:CVE-2019-4608 DESCRIPTION: IBM Tivoli Workload Scheduler is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web ...

Security Bulletin: Stored Cross-Site Scripting in Tivoli Application Dependency Discovery Manager (CVE-2020-4339)

Summary Stored Cross Site Scripting vulnerabilities have been found during the test on TADDM. It is mostly exploited in order to hijack authenticated users sessions. The issue results from lack of proper input verification and lack of proper output encoding. A stored XSS takes place when any user...

Security Bulletin: IBM Technical Suppport Appliance - possible security flaw in DHCP processing that may leak and disrupt network traffic

Summary A flaw in the network manager may cause network traffic to be read and possibly modified when it was expected that the network traffic was protected by a VPN. Vulnerability Details CVEID:CVE-2024-3661 DESCRIPTION: DHCP can add routes to a client’s routing table via the classless static...

Security Bulletin: IBM Technical Suppport Appliance - possible security flaws or denial of service

Summary Several fixes to the Linux kernel for reported issues related to various security vulnerabilities such as denial of service, unauthorized access, or leakage of sensitive data. Vulnerability Details CVEID:CVE-2024-53088 DESCRIPTION: In the Linux kernel, the following vulnerability has been...

Security Bulletin: IBM Cloud Kubernetes Service is affected by a containerd security vulnerability (CVE-2024-40635)

Summary IBM Cloud Kubernetes Service is affected by a security vulnerability found in containerd where containers launched with a User set as a UID:GID larger than the maximum 32-bit signed integer can cause an overflow condition where the container ultimately runs as root UID 0. This could cause...

Security Bulletin: IBM Instana Observability is affected by multiple vulnerabilities within Instana Agent container image

Summary Multiple vulnerabilities were remediated in IBM Observability with Instana within Instana Agent container image build 1.0.294 Vulnerability Details CVEID:CVE-2024-45338 DESCRIPTION: An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to...

Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses Jinja is an extensible templating engine. Jinja sandboxed environment interacts with the attr filter allows an attacker to attack.

Summary Security Bulletin: IBM Maximo Application Suite Ai-Service Component uses Jinja is an extensible templating engine. Jinja sandboxed environment interacts with the attr filter allows an attacker to attack.This bulletin contains information regarding the vulnerability and its fixture...